@JacobLandau said:
Do each of my users need their own API Key?
I have an app that as of currently requires each of my users to sign up for TMDB and provide their own API Key. But having contributed to TMDBLib, the C# wrapper library that I'm using, I've noticed that Jellyfin uses a single API Key for it's entire userbase, and that this key is public in their Github repository.

What's the preferred solution from TMDB staff? Obviously you're providing me and every other non-commercial hobbyist a free service so I want to make sure I consume the API appropriately and don't abuse it. I read the API documentation but I couldn't see anything about this specifically.

A year or so ago, the TOKEN usage feature was implemented.
I personally don't understand how this feature works.
But it was implemented for that.
You authorize or disallow the user of your APP to access TMDb data.
https://developer.themoviedb.org/docs/getting-started
https://developer.themoviedb.org/reference/authentication-how-do-i-generate-a-session-id

@ticao2 said:

@JacobLandau said:
Do each of my users need their own API Key?
I have an app that as of currently requires each of my users to sign up for TMDB and provide their own API Key. But having contributed to TMDBLib, the C# wrapper library that I'm using, I've noticed that Jellyfin uses a single API Key for it's entire userbase, and that this key is public in their Github repository.

What's the preferred solution from TMDB staff? Obviously you're providing me and every other non-commercial hobbyist a free service so I want to make sure I consume the API appropriately and don't abuse it. I read the API documentation but I couldn't see anything about this specifically.

A year or so ago, the TOKEN usage feature was implemented.
I personally don't understand how this feature works.
But it was implemented for that.
You authorize or disallow the user of your APP to access TMDb data.
https://developer.themoviedb.org/docs/getting-started
https://developer.themoviedb.org/reference/authentication-how-do-i-generate-a-session-id

That requires you to use your account's bearer token, which is also a private key. The only benefit of bearer tokens is that you can use them for v4 API access as well as v3. That goes back to square one of my question.

A few things,

First, the access token that gets issued alongside your API key is not scoped to your individual account, it's only scoped as an application token. It's the exact same as using an API key. If you want to do things like rate movies, and edit lists, then you'll have to either create a session ID or create a new access token which has been authorized separately by a users account to edit on their behalf. This is outlined here, and here.

Now, about your original question, obviously storing an API key publicly puts you at risk of having it shutdown. We kill API keys fairly often as we find out about apps doing bad or illegal things. If one of these bad actors takes your key, your app will be affected until you can roll a new API key. This is probably not desirable.

Depending on the app, you can keep it private by encoding it behind the scenes (like say an exchange that happens with an auth source you control) or you can have users enter their own key. I can't tell you which to choose, it's up to you.