Is an API key worthless over http since requested parameters can be sniffed?

Question

Is an API key worthless over http since requested parameters can be sniffed? Are they only reliable over https? Even then, aren't you relying on the client to be careful with their key?

Answer 1

Is an API key worthless over http since requested parameters can be sniffed?

No, because sniffing can only be performed if you are on the same LAN with the sysadmins being clueless about IT security, or if you can otherwise capture the transmitted traffic (which is typically pretty hard). Also, there exist technologies like IPSec that provide authenticity and privacy on the network layer.

So using plaintext authentication does not provide zero additional security.

Are they only reliable over https?

This depends on your definition of "reliable". See above. In any case, using transport security prevents attackers from reading your communication. If SSL is enforced, man-in-the-middle attacks are prevented as well.

Even then, aren't you relying on the client to be careful with their key?

Of course you do, you always have to trust your authorized users. This has nothing to do with API keys or passwords or anything.