The following example removes the apikey query parameter from the request:

<AssignMessage name="remove-query-param">
  <Remove>
    <QueryParams>
      <QueryParam name="apikey"/>
    </QueryParams>
  </Remove>
  <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>

It's a best practice to strip the apikey query parameter from the request message when you use the VerifyAPIKey policy for user authentication. You do this to prevent sensitive key information from being passed to the backend target.