Why must API keys be kept private?

I have worked with public API’s in only one small project, but I recently learned that if one were to distribute a project with API keys inside this is a security risk.

So I have two questions:

  • What does an API key contain that would pose a security risk?
  • How does one create an application that makes use of public API’s and distribute that application without posing a security risk?

Surely if someone can reverse engineer the application, they could extract any API keys that are present.

I am a fresh computer science graduate so an explanation of this would be much appreciated.

Many thanks!