As we develop applications using the SmugMug API, are we supposed to keep our requested API keys private (even from uses of our applications)?

To be a little more concrete: I'm developing a plug-in for a JavaScript image gallery viewer, so that the viewer is automatically populated with images from a SmugMug album (this is similar to something I did a while ago with a flash-based viewer -- search the forums for SmugMugViewer if you're interested). The plug-in itself does not require the API key; instead you pass an API key as an argument when you create the object in javascript. I was, however, planning to include with the source code a simple HTML example for how to include the viewer in a web page and link it to an SM album, and would need to hard code my API key into that HTML file in order for it to function.

So which is the correct answer: (a) I should avoid publicizing the API key; (b) I can hard code the API key, but ask users to proved their own when deploying the application on their website; or (c) I should provide the API key and ask that users use the SAME key when deploying it on their website.

Cheers

P.S. If anyone's interested, the image viewer I'm integrating with SmugMug is called Galleria (http://galleria.aino.se); I'll make a post in the near future when I release the code.

does your script, I saw your other thread, need to execute the code within the client browser? You could have your API code in a server side compiled library which can be called to generate and return the HTML gallery code. Or you could just stuff it in a serverside page like JSP/ASP/ASPX/PHP/whatever so, again, all which will be sent to the client side is the actual HTML for the gallery in pre-built form.

I know I immediately decided your solution would not work for my current needs because it includes the API key within the HTML page. And for my solution I would need to code around things in order to have one of my servers generate the gallery and send just the HTML...a potential point if failure I don't want to introduce into my situation.

BTW, like you I want to move away from the whole Flash as a must have, even though I personally do not have any Flash issues...my concern is my customer base can be somewhat persnickity and not too computer literate as well as older so they read or hear something and suddenly they equate something like Flash as bad even when used correctly.