What is to stop a developer from getting multiple API keys

Most APIs ask developers to get an API key. The API key is then used for rate limiting. What is to stop a developer from getting multiple API keys as a way to prevent the rate limit?

The problem I'm facing is deciding how to issue an API key. The only thing I found working is to issue more of a "developer key".

• I haven't found a way to really rate limit an application's usage (someone could obtain multiple keys and sequence feed them to his app to get higher rates for this one app)
• and I haven't found a way to kee开发者_Python百科p the key per-application (someone could get the key and use it on multiple domains)

---

An API key isn't the right tool for rate limiting, especially if the API is back-end callable. It works if the code is integrated at the end-user's browser, since that serves as "neutral ground" that can ensure that the application identity isn't being spoofed, but not if it's called from a service or application written by your client developers.

Resource utilization control is an economic problem, so it calls for an economic solution. Requiring a unique hashcash token per-call is a good way to enforce this. (Hashcash is a proof-of-work scheme -- it requires the caller to prove they've expended a bunch of CPU time on a pointless task as a way to prove the request has value to them.)

It is also scalable depending on load -- if your service is being overwhelmed, you can dynamically increase the "price" in leading zero bits required in the token; each increase by one bit will reduce the request rate by half. (Just make sure your API can communicate the hashcash "price" if it is dynamic.)