It may be dumb, but it's not laugh-out-loud crazy. In fact, it's specifically one of the things that the DMCA does. Here's a whole ton of information about the law: http://chillingeffects.org/reverse/faq.cgi
And here's an article from the EFF with a few citations of cases where DMCA article 1201 has been used: https://www.eff.org/es/wp/unintended-consequences-under-dmca
> In fact, it's specifically one of the things that the DMCA does.
Well, the specific thing the DMCA does is to stop circumvention of an "effective technological protection measure". The crazy thing here is that there is no such measure: no use of encryption or scrambling -- or even passwords! -- that I can see, just simply using a network service's exposed command set. That makes it different to most (if not all) of the case law your link mentions.
A private (that is, not published) API Key sure sounds like a protection measure to me.
So if you want to resist, you could start there: by finding out (possibly by asking a lawyer to talk to them) how they think your tool is acting to "descramble a scrambled work, decrypt an encrypted work, (or equivalent actions)". If you want to do this, you might consider reaching out to the EFF for help.
Morally, I think you're in the clear for the reason you already gave.