这要看你的需求。你需要：

It depends on your needs. Do you need:

• 身份 - 谁声称自己作出API请求


• 验证 - 他们真的是他们说他们是谁
？

• 授权 - 他们可以做什么，他们正在尝试做
？

或全部三个？

如果你只需要识别来电者跟踪体积或API呼叫数量，使用一个简单的API密钥。请记住，如果用户已经发出了别人的API密钥股吧，他们将能够调用您的API以及

If you just need to identify the caller to keep track of volume or number of API Calls, use a simple API Key. Bear in mind that if the user you have issued the API key shares it with someone else, they will be able to call your API as well.

不过，如果你需要的授权，以及，那是你只需要提供给基于API的调用者的某些资源的访问，然后使用OAuth。

But, if you need Authorization as well, that is you need to provide access only to certain resources based on the caller of the API, then use oAuth.

下面是一个很好的说明：http://blog.apigee.com/detail/do_you_need_api_keys_api_identity_vs._authorization/

Here's a good description: http://blog.apigee.com/detail/do_you_need_api_keys_api_identity_vs._authorization/

更新：有人指出，上面的链接不再起作用。这里有一篇文章在使用上面的链接作为参考http://www.srimax.com/index.php/do-you-need-api-keys-api-identity-vs-authorization/

UPDATE: Someone pointed out that the above link no longer works. Here's an article somebody wrote while using the above link as a reference http://www.srimax.com/index.php/do-you-need-api-keys-api-identity-vs-authorization/