diff --git a/app/models/admin_dashboard_data.rb b/app/models/admin_dashboard_data.rb
index 633b1a0019a..0ef9960d1b8 100644
--- a/app/models/admin_dashboard_data.rb
+++ b/app/models/admin_dashboard_data.rb
@@ -84,7 +84,8 @@ class AdminDashboardData
     @problem_messages = [
       'dashboard.bad_favicon_url',
       'dashboard.poll_pop3_timeout',
-      'dashboard.poll_pop3_auth_error'
+      'dashboard.poll_pop3_auth_error',
+      'dashboard.deprecated_api_usage'
     ]
 
     add_problem_check :rails_env_check, :host_names_check, :force_https_check,
diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index 0e313715f2b..ffd59c83806 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -1338,6 +1338,7 @@ en:
       other: "Email polling has generated %{count} errors in the past 24 hours. Look at <a href='%{base_path}/logs' target='_blank'>the logs</a> for more details."
     missing_mailgun_api_key: "The server is configured to send emails via Mailgun but you haven't provided an API key used to verify the webhook messages."
     bad_favicon_url: "The favicon is failing to load. Check your favicon setting in <a href='%{base_path}/admin/site_settings'>Site Settings</a>."
+    deprecated_api_usage: "We detected an API request using a deprecated authentication method. Please update it to use <a href='https://meta.discourse.org/t/discourse-api-documentation/22706'>header based auth</a>."
     poll_pop3_timeout: "Connection to the POP3 server is timing out. Incoming email could not be retrieved. Please check your <a href='%{base_path}/admin/site_settings/category/email'>POP3 settings</a> and service provider."
     poll_pop3_auth_error: "Connection to the POP3 server is failing with an authentication error. Please check your <a href='%{base_path}/admin/site_settings/category/email'>POP3 settings</a>."
     force_https_warning: "Your website is using SSL. But `<a href='%{base_path}/admin/site_settings/category/all_results?filter=force_https'>force_https</a>` is not yet enabled in your site settings."
diff --git a/lib/auth/default_current_user_provider.rb b/lib/auth/default_current_user_provider.rb
index d7ffdbeb3ec..353555880ec 100644
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@@ -283,6 +283,10 @@ class Auth::DefaultCurrentUserProvider
   def lookup_api_user(api_key_value, request)
     if api_key = ApiKey.active.where(key: api_key_value).includes(:user).first
       api_username = header_api_key? ? @env[HEADER_API_USERNAME] : request[API_USERNAME]
+      if !header_api_key?
+        # Notify admins of deprecated auth method
+        AdminDashboardData.add_problem_message('dashboard.deprecated_api_usage', 1.day)
+      end
 
       if api_key.allowed_ips.present? && !api_key.allowed_ips.any? { |ip| ip.include?(request.ip) }
         Rails.logger.warn("[Unauthorized API Access] username: #{api_username}, IP address: #{request.ip}")