[kevincox]

But that raises the complexity of hosting this data immensely. From a file + nginx you now need active authentication, issuing keys, monitoring, rate limiting...

Yes, this the the "right" solution but it is a huge pain and it would be nice if we could have nice things without needing to do all of this work.

This is tragedy of the commons in action.

[woodpeck]

Speaking as the person running it - introducing API keys would not be a big deal, we do this for a couple paid services already. But speaking as a person frequently wanting to download free stuff from somewhere, I absolutely hate having to "set up an account" just to download something once. I started that server well over a decade ago (long before I started the business that now houses it); the goal has always been first and foremost to make access to OSM data as straightforward as possible. I fear that having to register would deter many a legitimate user.

[kevincox]

Yeah, I totally get it. In an ideal world we could just stick a file on an HTTP server and people would download it reasonably. Everything is simpler and happier this way.

[bombcar]

There’s a cheapish middle ground - generate unique URLs for each downloaded, which basically embeds a UUID “API” key.

You can paste it into a curl script, but now the endpoint can track it.

So not example.com/file.tgz but example.com/FCKGW-RHQQ2-YXRKT-8TG6W-2B7Q8/file.tgz

[hyperdimension]

Yeah, but everyone knows that one. ;)

[account42]

Everyone also knows the API keys that are used for requests from clients (apps/websites/etc.). ;)