API使用约定

Im quite new to the usage of API in web development. Im working on a web application in python/django that makes ajax jsonp requests to the giantbomb api. As I learn how to use this api to get the info want, im beginning to realize certain things should probably be handled better in my code for various efficiency/security reason. But I am unfamiliar with conventions for the usage of web-based API's. Here a few questions ive been thinking about:

  1. Is it bad to have my api-key in the address bar, or in the source.
  2. Since i am using Django/Python, should i just create a custom view for each api request and and use simplejson? I wanted to use AJAX to reduce the amount of requests, and for better dynamic UI.
  3. In these situations, are api-keys, api-urls saved into a session then accessed as needed?

thank you for help and patience in advance,

  1. Having your API key visible to the user means they can do requests as you. Whether this is bad or not depends on the API in question. If it is possible to do three-legged auth, your server can negotiate a temporary key (e.g. Oauth's session key) with the API server and only share that temporary key with the browser.

  2. If you intend for the browser to do the API requests via AJAX, your views don't enter into the picture at all, except to pass the API credentials to the browser for use in javascript.

  3. If you are doing three-legged auth, your server would store the API key somewhere permanent (database or file), but the session key could live in a more temporary location (e.g. wherever your session data is stored). But it will still need to be passed to browser, assuming it is doing the actual API requests.