> A key (haha) thing that keys also provide is an opportunity > to have a conversation with the user of your api: who are they, > how could you get in touch with them, what are they doing with > the API, what would they like to do with the API, what doesn’t > work? These questions are difficult to ask if they are just a > IP address in your access log. -- True, but, again, there are other ways to go about this. I've baulked at doing just this in the past because it reveals the raw and primary purpose behind an API key: to track individual user usage/access. I would feel a little awkward writing (and receiving, incidentally) a message that began: -------------- Hello, I saw you using our service. What are you doing with our data? Cordially, Data service team ----------- And, if you cringe a little at the ramifications of the above, then why do you need user-specific granularity? (That's really not meant to be a rhetorical question - I would genuinely be interested in whether my notions of "open" and "free" are outmoded and based too much in a theoretical purity that unnecessary tracking is a violation of privacy). Unless the API key exists to control specific, user-level access precisely because this is a facet of the underlying service, I feel somewhere in all of this the service has violated, in some way, the notion that it is "open" and/or "free," assuming it has billed itself as such. Otherwise, it's "free" and "open" as in Google or Facebook. All that said, I think a data service can smooth things over greatly by not insisting on a developer signing a EULA (which is essentially what happens when one requests an API key) before even trying the service or desiring the most basic of data access. There are middle ground solutions. Yours, Kevin On 12/02/2013 12:57 PM, Edward Summers wrote: > On Dec 3, 2013, at 4:18 AM, Ross Singer <[log in to unmask]> wrote: >> I'm not going to defend API keys, but not all APIs are open or free. You >> need to have *some* way to track usage. > > A key (haha) thing that keys also provide is an opportunity to have a conversation with the user of your api: who are they, how could you get in touch with them, what are they doing with the API, what would they like to do with the API, what doesn’t work? These questions are difficult to ask if they are just a IP address in your access log. > > //Ed >