You’re right – when I ran POST api/settings/set without any query parameter, I assumed that when the response key was missing, it referred to a project key. The Web API isn’t exactly consistent when it comes to “the query parameter that means project key” (it can be projectKey, component, componentKey
Now it’s the afternoon and the coffee has kicked in. 
You’re right. I can reproduce this. I’ll flag it for attention.