Use a proxy service which just exposes one key to that service - this is basically like 3
call the API from the back end - i think that mashape is an API proxy? yahoo also run an API proxy where you can use third party proxies - I have found this to be a bit unreliable.
if the API allows it you can tell it to only allow traffic from one domain - this actually seems like the most reasonable approach.
Use env variables if you have a back end and access to the server.