Best bet might be using an API key in the header (e.g. ‘Authorization: Token MY_API_KEY’) instead of as a url param:
Advantages over HTTP Basic Auth:
- More convenient, as you can easily expire or regenerate tokens without affecting the user’s account password.
- If compromised, vulnerability limited to API, not the user’s master account
- You can have multiple keys per account (e.g. users can have “test” and “production” keys side by side.)
Advantages over API key in URL:
- Provides extra measure of security by preventing users from inadvertently sharing URLs with their credentials embedded in them. (Also, URL can wind up in things like server logs)