Building an API without authentication requirements?

Is it a bad idea to build an API without a key / other authentication requirements?

Upsides:

• Simpler to implement
• Simpler to use

Downsides:

• Potential it might 开发者_StackOverflow社区get overused
• ... leading to having to add a key later and annoy users

I'm not building the next Facebook here, just a simple data service. I don't expect to have to support tons of users, and my data's static.

Given the above, is it bad practice to build an API without requiring a key, or will I get away with it?

With REST-APIs you use HTTP authentication, there are no keys required.

You only need to authenticate your users if there is content on your site that should not be seen by any user.

You can start without it and if at some point you feel you need to protect your site (or individual resources) from the public, you simply implement HTTP Authentication by sending a 401 status codes if no Authenticate header is present in the request. HTTP clients understand that out of the box, so nothing changes for your users.

Implementation-wise authentication is often just an independent layer or phase in the request handling, so you won't need to rip apart all you code.