[pierrefar]

Please don't do SOAP. Please. It's painful to use as a developer. REST and REST-like services are much easier to build for, not to mention debug and test.

Think about the output your API will produce. JSON and/or an XML flavor? What about JSONP support?

And do you want users to identify themselves? How? An API key is the usual way, but Digg has a neat alternative (which I'm using for inspiration on a soon-to-launch API) of each API call providing an app identifier in the form of a URL of a web page describing the app.

Also, don't forget to version your API so that in the future if you implement a change that breaks the default or usual behavior, you can have a chance of maintaining backwards compatibility.

Rate limiting? If you want that, use memcached or Redis or any super-fast in-memory store.

Finally, log everything on the server.