> A key (haha) thing that keys also provide is an opportunity
> to have a conversation with the user of your api: who are they,
> how could you get in touch with them, what are they doing with
> the API, what would they like to do with the API, what doesn’t
> work? These questions are difficult to ask if they are just a
> IP address in your access log.
-- True, but, again, there are other ways to go about this.
I've baulked at doing just this in the past because it reveals the raw
and primary purpose behind an API key: to track individual user
usage/access. I would feel a little awkward writing (and receiving,
incidentally) a message that began:
I saw you using our service. What are you doing with our data?
Data service team
And, if you cringe a little at the ramifications of the above, then why
do you need user-specific granularity? (That's really not meant to be
a rhetorical question - I would genuinely be interested in whether my
notions of "open" and "free" are outmoded and based too much in a
theoretical purity that unnecessary tracking is a violation of privacy).
Unless the API key exists to control specific, user-level access
precisely because this is a facet of the underlying service, I feel
somewhere in all of this the service has violated, in some way, the
notion that it is "open" and/or "free," assuming it has billed itself as
such. Otherwise, it's "free" and "open" as in Google or Facebook.
All that said, I think a data service can smooth things over greatly by
not insisting on a developer signing a EULA (which is essentially what
happens when one requests an API key) before even trying the service or
desiring the most basic of data access. There are middle ground solutions.
On 12/02/2013 12:57 PM, Edward Summers wrote:
> On Dec 3, 2013, at 4:18 AM, Ross Singer <[log in to unmask]> wrote:
>> I'm not going to defend API keys, but not all APIs are open or free. You
>> need to have *some* way to track usage.
> A key (haha) thing that keys also provide is an opportunity to have a conversation with the user of your api: who are they, how could you get in touch with them, what are they doing with the API, what would they like to do with the API, what doesn’t work? These questions are difficult to ask if they are just a IP address in your access log.