I would like to know the best option for sending session key in my system.

In my system, there is an API server that is used by web browser, command line interface and desktop apps. It authenticates the user by looking at the Authorization HTTP header.

Currently, the browser stores the session key in the localStorage and attaches it in the Authorization header for requests that require login. However, it was pointed out that a more secure way to store secrets such as session keys is using HTTP-Only cookies.

The problem is that the web browser client will not be able to read the HTTP-Only cookie and put the session key in the HTTP header.

Given the situation, I am thinking about extending the API server to use either one of Authorzation header or cookie to authorize users. Is this a feasible option, and are there alternatives?

You are right, Cookies and Authorization headers are not compatible out of the box. As you pointed out, you are looking at two use-cases: one for browser usage and another for API (cli, desktop app).

If you want to support both via a single authentication scheme, you will need to work a bit more. As a good rule of thumb, browsers work well with cookies and its easy to set it up securely. You should opt for cookie-based session management with browsers.

Given the situation, I am thinking about extending the API server to use either one of Authorization header or cookie to authorize users. Is this a feasible option, and are there alternatives?

Yes, this is feasible, it will make your browser use-case more secure. As for alternatives, I put together a Web Authentication Guide that will greatly assist you in exploring your options.