I've asked this question on Stackoverflow - but I'll put it up for discussion here as well, and if you want to answer on Stackoverflow as well, feel free.
If I https secure it, that's a great step - but reading the forums that's still to come.
If I make something like OAuth then each application gets a key for each user, and that will safeguard particular keys further.
Can anyone else think of a good way of securing the API?
This may be me looking for problems because the likelihood of a hijack by someone seeing the code should be minimal.