Best Practice for Hiding API Keys.

Now perhaps this has been a big concern for many people these days but breaking this into reality, the answers are conflating two concerns mainly. This whole problem just prevents you from accidentally pushing the secrets into your public GitHub repository.
How to keep secrets safe when they're checked into a Git repository.
Using .yml files and set.gitignore *secrets.yml to ignore them.
.gitignore files storing secrets that may be required during the development process or encoded ideally securely in the executable, and then manage secure distribution to developers outside of Git.
‘Developer-specific credentials, as well as shared credentials, may be included. It’s best if you keep your files separate.
How to keep secrets protected inside a mobile app bundle or data so they don't leak.
In order to avoid storing secrets in Mobile App bundles or data , storing an API key that can come in use for hundreds or millions of app instances is a fool’s play. Individual users or instances should be accredited one by one separately.
In any of these cases, most third-party APIs will not allow access from mobile apps. Almost every time, you’ll have to create your own personal backend to interface it with the API.
If your app needs authentication, API access (in your own app) will be protected using the user’s credentials that are unique.
Almost bundle content, as well as the data. Can be encrypted using various algorithms, depending on how your app keeps sata. Of course, it always boils down to hiding some key, which, sure can go in the user’s keychain provided one is made or retrieved from your backend at the outset.
Other than this the best way for your api is to integrate app attestation service from Apple.