umm... it's called HTTP-AUTH, and if you really want to be cool, use an X.509 client cert for authorization (see geoserver as an example that works very cleanly - http://docs.geoserver.org/latest/en/user/security/tutorials/cert/index.html; the freebxml registry-repository also uses X.509 based authentication in a reasonably clean manner) Robert Sanderson wrote: > To be (more) controversial... > > If it's okay to require headers, why can't API keys go in a header rather > than the URL. > Then it's just the same as content negotiation, it seems to me. You send a > header and get a different response from the same URI. > > Rob > > > > On Mon, Dec 2, 2013 at 10:57 AM, Edward Summers <[log in to unmask]> wrote: > >> On Dec 3, 2013, at 4:18 AM, Ross Singer <[log in to unmask]> wrote: >>> I'm not going to defend API keys, but not all APIs are open or free. You >>> need to have *some* way to track usage. >> A key (haha) thing that keys also provide is an opportunity to have a >> conversation with the user of your api: who are they, how could you get in >> touch with them, what are they doing with the API, what would they like to >> do with the API, what doesn’t work? These questions are difficult to ask if >> they are just a IP address in your access log. >> >> //Ed >>