Is issuing an API key without whitelisting associated URL save?

Hello, I am setting up Tyk for the first time and wondering how I can check if a request with an API token is coming from the correct (whitelisted url).

Lets say I am issuing an API key XY for HOST, now I would like to check that the request with the API key XY is coming from HOST

Correct my if I am mistaken, but if someone else gets the API key XY, they could make API request in the name of HOST from a different host, couldn’t they?

That is correct. Whitelisting will allow anyone to access a resource if the IP that is on the request is whitelisted. Unfortunately IPs can be spoofed but that is why you also have a token which means that any one who wants to access your API will need two pieces of information to access it rather than one.