Unpopular (?) opinion: "API keys" are an explicitly FOSS-hostile anti-feature and anyone making use of them should be ashamed.
Conversation
Replying to
By "API keys" I mean revokable non-private/pseudo-private tokens (not private account credentials) that are intended to be embedded in an application to allow it programmatic/"API" access to a service.
1
4
They're FOSS-hostile because to publish FOSS that uses the service you either need to embed an API key belonging to the author that will be used in modified versions (usually contrary to ToS and risking revocation) or make everyone who wants to build from source get their own.
1
3
6
In practice though, the API keys can be easily extracted from a non-FOSS application anyway. If an app wants to protect their API keys, they need to proxy the requests through their server instead of having the app communicate directly to the third party services with the keys.
1
2
Obfuscation isn't going to stop someone from extracting the API keys if there's value in them such as if it's a paid service. Even with a proxy, someone could make automated requests, but the app developer has a lot of control over that and can monitor / deal with abuse of it.
Exactly. They're fundamentally NOT an access control mechanism. They're just hostility to FOSS for the sake of low-accuracy attribution/accountability if/when the API is abused.
1
2
7
