You don't have to do anything in the QMC regarding the xrfkey. The only thing that is important is that the argument in the URL used for the API call matches the corresponding header of the http request. Have a look at this page:
I'm afraid I'm not expert on Python, so others would be better suited to help you there. It depends on what you want to do though. If you want to dig into the contents of the app, then you'll usually need to go through the Engine API instead.