Why do some API providers require an API key?

Question

Several web service APIs have you sign up for an API key. For example, UPS Web services requires a key, which is included in calls to their service -- In addition to the use

Answer 1

They could use it to signify which version of the API you are trying to use. Perhaps in Version 1.0, there is a method that takes a POST on www.UPS.com/search and there is another one in version 2.0 at the same address, but takes a different parameter set, or even returns data in a different format/style. Your program was built on V1.0 and expects a certain API contract. They want to be able to create V2.0 without interfering with their customer's products.

That's just a guess, but it sounds good to me.

Answer 2

In our situation, our clients want it for:

• Tracking/analytics - figuring out who's doing what and building what products. Because a number of users are desktop apps, just looking at referrers isn't always enough.
• Permissions - which resources should a user have access to? How can a user build apps that have access to specified resources?
• Licensing/legal - enforcing that users have read and accepted ToU/licensing information.
• Security - passing around usernames/passwords is a really bad idea.

Answer 3

Usually it used to get stats on how much application performing queries to API. I think asking username/password with API key is ambigious in some cases, but it is a way how it is implemented - so we can't do something with it.

They ask for API key because you could have more than one API under same account - in case you have more than one site which are use same API.

Answer 4

There are two predominant use cases. The first is to measure, track and restrict API usage. If someone is building a service that allows third parties to access it, the service provider may want to control (or at least know) who has access so that they can try and prevent things like denial of service attacks. On the measure and track side, interesting information can be obtained such as knowing which applications are popular for accessing the service or which features people use the most.

The other use case is related to security and authentication. It is unwise for a service provider to have third party applications and services require users to give up their username and password for the primary service. This is a huge exposure. That is why many services are standardizing on protocols such as OAuth, which provides delegated access via authorization to a user's data. While not foolproof, it is definitely preferable to distributing user credentials to unknown, and untrusted, parties.

Answer 5

I think Gracenote does a similar thing for cddb. I forget the details, but I remember something about some token.

(They have/had really draconian rules about using their service too.)

Simon reminded me what the gracenote thing was. Gracenote and Fedex and other webservices have lots of developers writing apps for the software. So the developers get a token to put into their apps, but the end users have their own user name and password. It lets the services keep an eye on abusing programs, etc. That is probably te primary reason. (like a browser or a webbot informing the webserver who/what it is)

Answer 6

Most of the time it is to monitor how developers are using the web-api. If they somehow disagree with your usage of the api it provides a means for them to shut it/you down without hurting the other users. And the statistics per user/app are always valuable.

I've used the flickr api - in that situation the key is yours, but the login data might be those of people using your app, so the api key is the only way to differentiate between the apps.