One good bit of advice I have seen for people who are just starting out with publishing an API: require a "developer email" parameter in the request instead of API key.<p>Yes, it could be spoofed or faked. But:<p>* You can detect honest, accidental excessive usage and follow up by email,<p>* You can block new email addresses but keep the API up for existing users if hit by a randomised bot,<p>* You can follow up with developers, and interview them to see what they are using the API for,<p>* There is an obvious way to get in touch with developers to tell them about API changes,<p>* And you can start out with this by just logging requests to a database/file/cache, without building a full "developer portal".
> Rate limiting is one approach but it is easily gamed.<p>Is it? Simple IP-based rate limiting seems quite effective to all but the most determined abuser.
To me it seems like hanging would be more of a deterrent than failing requests as developers could simply retry a request on a simulated failure.<p>Some developers could even try to fire multiple requests and use the fastest one, effectively reducing the failure rate to the app.<p>It an interesting problem to solve. The one that I would like to see a solution on is allowing end users interact directly with a third party service without exposing the API key or requiring the to do any authentication.
If you're trying to put people off abusing it, wouldn't randomly failing make the situation worse? People will just code apps to try the request again until it doesn't. It'd be like inviting people to DDoS your API. So long as the display bit is asynchronous then the user will just see a spinner until it's worked and the results are sent across.
<i>Required keys make it much harder for developers to learn new things.</i><p>Really? You fill out a form, click submit, get your key via email soon after. Or at worst, the following Monday. IMO, that's not a lot of friction.
how hard is it to run a second, smaller server for "learning" that doesn't get rate limited but also doesn't have full access? Maybe it even only has access to a fake data set, no real data.