To be (more) controversial... If it's okay to require headers, why can't API keys go in a header rather than the URL. Then it's just the same as content negotiation, it seems to me. You send a header and get a different response from the same URI.
Rob On Mon, Dec 2, 2013 at 10:57 AM, Edward Summers <e...@pobox.com> wrote: > On Dec 3, 2013, at 4:18 AM, Ross Singer <rossfsin...@gmail.com> wrote: > > I'm not going to defend API keys, but not all APIs are open or free. You > > need to have *some* way to track usage. > > A key (haha) thing that keys also provide is an opportunity to have a > conversation with the user of your api: who are they, how could you get in > touch with them, what are they doing with the API, what would they like to > do with the API, what doesn’t work? These questions are difficult to ask if > they are just a IP address in your access log. > > //Ed >