Is issuing an API key without whitelisting associated URL save?

Hello, I am setting up Tyk for the first time and wondering how I can check if a request with an API token is coming from the correct (whitelisted url).

Lets say I am issuing an API key XY for HOST, now I would like to check that the request with the API key XY is coming from HOST

Correct my if I am mistaken, but if someone else gets the API key XY, they could make API request in the name of HOST from a different host, couldn’t they?