This problem has been bugging me for the past few weeks - should web application APIs, such as the ones that Twitter, Pownce, Digg, etc. employ, require the programmer to authenticate by some means, or should it simply be open access? There are very good arguments for both, but the choice lies within the type of API it is. If the API provides sensitive data, such as the Twitter API, some sort of authentication should probably be used. If the data is public anyway, such as Digg, then no authentication is needed.

No Authentication: Easiest on the programmer side, hardest on the service that is offering the API. It allows those using the API to dive right in - no need to sign up for a project id or a username and password combination to authenticate with. The programmer can start playing right away; however, the downside is that the web service offering the API find it much harder, if not impossible, to track any API abuse. The service provider must weigh the benefit of allowing programmers to dive head first into the API with how crucial tracking is.

Username/Password Authentication: The opposite of open access is of course closed access - the programmer must provide a username or password to access any data from the API. Now the web service can easily track who and when a program/script requested information from the API; though, the downside is that the programmer cannot start playing with the API immediately.

APIs that provide the programmer with sensitive data should use some sort of authentication method. For example, using the Twitter API a programmer can request information from a "timeline" of user activity - the programmer then needs to supply authentication for that user. That way data sensitivity is not compromised.

Digg however employs a method somewhere in between these two methods - a username and password is not required but an application ID is. When requesting data from the Digg API the programmer must provide an application ID that he created. This proves to be a happy median because the programmer can start playing with the API right away and Digg can also track when the application ID is used, the only problem arising when a two programmers choose the same application ID for their project.

Once again, the type of method is dependent on the project. If sensitive data is being requested, of course authentication is needed. If the data is publicly viewable to begin with then no authentication is needed, but you might want to consider requiring an application ID so the program/script can be tracked.