Hi Shery,
Here is an article that walks you through getting a REST session Key and including it in an API request:
https://developer.khoros.com/khoroscommunitydevdocs/docs/session-key
You should avoid storing the API session key in the browser and you don't have to make API calls using an API session key if you are making them from a community page.
If you are on a community page and you don't pass an API session key, then it should be made as the currently signed-in user for the page (with checks to prevent XSRF). Always use HTTP POST for calls that modify data (such as message posting) and never make the call on page load (always require a form submit).
You could also do these server-side via a studio endpoint and it would use the current user's community web session to authenticate them. If you do that, make sure to add checks in the endpoint that only allow HTTP POST (and doesn't allow GET) and also add some kind of XSRF protection.
Don't make API or Endpoint calls that modify data during page load (always require a form submit).
If you are calling the API from a different domain then you should make a server-to-server call with the API session key, but never store the key in a browser.
I hope this helps.
-Doug