Should I Enable API Keys?

Both "Use keys" and "Use sessid" are enabled by default at /admin/build/services/settings. A good rule of thumb as to their relevancy for your application follows:

  • Do I need to allow access to the service from another domain or multiple other domains? If so, API keys should be enabled and assigned per domain.
  • Will I be using browser cookies for user authentication and can my protocol support the use of cookies (XMLRPC doesn't)? If not, sessids should be used instead.

It then stands to reason that for single-domain applications the use of sessid alone should be sufficient. Please keep in mind that due to the enhanced security of Drupal 6 API keys that enabling keys after the fact has a non-trivial impact on ALL existing services and access and WILL require changes to ALL applications using any current service.