Let's assume that I have created my REST service smoothly and I am returning json results.
I also implemented API key for my users to communicate for my service.
Then Company A started using my service and I gave them an API key.
For example, lets assume that my service url is as follows :
https://api.myservice.com/data?apikey={key_comes_here}
Main problem is that I will have my own web site that also needs to call my own same REST web service. If I pass API key from my web site when I call my own REST service what will stop someone to use for example Firebug, see what API key I am using in my web app and use same API key ?
The method Google uses in eg. Google Maps is to link the API to a URL. So you can only use the supplied key in applications from the URL specified when you requested the key. This is especially usable in web applications, where you can get the referrer url at the server.