To be (more) controversial...
If it's okay to require headers, why can't API keys go in a header rather
than the URL.
Then it's just the same as content negotiation, it seems to me. You send a
header and get a different response from the same URI.
On Mon, Dec 2, 2013 at 10:57 AM, Edward Summers <[log in to unmask]> wrote:
> On Dec 3, 2013, at 4:18 AM, Ross Singer <[log in to unmask]> wrote:
> > I'm not going to defend API keys, but not all APIs are open or free. You
> > need to have *some* way to track usage.
> A key (haha) thing that keys also provide is an opportunity to have a
> conversation with the user of your api: who are they, how could you get in
> touch with them, what are they doing with the API, what would they like to
> do with the API, what doesn’t work? These questions are difficult to ask if
> they are just a IP address in your access log.