then you can check for

apikey:somekey#user

as the subject, to see if any user holding that key has access