I've been working on with RemoteEvents lately, and it is generally recommended that there should be reasonable sanity checks in order to make the game exploit-proof. I can generally do these sanity checks, but I want to ask your opinion of a (maybe) simpler way where the client needs to send a key to the server as an argument, and checks if that key matches a StringValue stored in ServerStorage that changes itself every 1-5 seconds. If not, then it returns and cancels the function. Is this method good or bad?
No, this is not a proper sanity check.
An exploit could get the source of the localscript, find out how the localscript gets the key from the server, and bypass your checks entirely. While it will stop 90% of exploiters, it only takes one to find out how to do it. The only thing sending a key does is increase bandwidth.
Let's say you're making a rocket. When the client tells the server where the rocket fired, the server could check that the rocket firing position is within ~5 studs of the player. If it's not, the server would not fire the rocket, but it would not kick the player because false positives do happen. The client could then resend the request and it would fire the rocket properly. That way, an exploit can't just fire the rocket from any random position it wants.
Now, if your key is sufficiently short (10 characters or less), it could prove to be a real challenge to most exploiters and not increase bandwidth by too much. However, it shouldn't be your only line of defense if you do decide to use it.