An API key can be created for a user that doesn't exists (i.e. st2 apikey create -u foobar where foobar is a nonexistent user). The API key created for this nonexistent user foobar can be used to execute an action and the execution is listed under foobar in context.user. The API key should not have been created in the first place if the user does not exist. Also, since API key doesn't have expiration, there should be another validation during runtime to make sure the user still exists before the API key is verified for other StackStorm operations.