antony-lovric
commented
7 years ago Has anyone else thought about this? We would like to use the API key to throttle traffic and have insight into who is using the system. Without it we would need to use quotas against IPs or an alternate mitigation strategy.
Currently, the spec states that API keys are only required for the POST Service Request method, but it doesn't clearly say whether this is optional for other methods. It says that API keys are not required for other methods, but if an implementation wanted to require them for other methods, would this be acceptable or would it break compliance with the spec? This needs to be explained in the documentation.
http://lists.open311.org/r/post/5X71Jj9HSG1gOX8worgppv