first of all: I am quite unsure about the title of the question, so if you have a better idea, please feel free to tell (:
I would like to know about best-practise examples where services (like Twitter or co) which offer APIs and want you as a developer to use some API-Key prevent third parties from getting that key.
I will explain my regards with bad examples:
As far as I know, Twitter and FB require you to use API-Keys for API-requests. That's fine for server-side applications, but as soon as you submit your key from a web-app or desktop-application, the key is visible to others.
Because you have to submit that key, it doesn't make much sense to super-securely store it inside your app. For the request, it has to be plain.
One thing you might do is to host your own web-service or wrapper which appends the key server side and then routes that request to the target server.
But this is not possible if Twitter/or whatever service you are using is limiting API-requests per IP or want's to create IP-based statistics.
So to sum it up: If I was in the position to create an API for others and don't want them to use SSL, what possibilities would I have to make sure their key is safe and can not easily be stolen?