Several months ago I wrote a post called Where, oh where, does the API key go? I encouraged API providers to allow consumers to put the API Key in the Authorization header to help avoid accidental disclosure of keys via things like web server logs. I recently bumped into a way that anyone can harvest hundreds of API keys from many different web sites, including ones that charge significant amounts of money for access.
Part of my role at Runscope involves me writing OSS libraries or sample projects to share with other developers. I also regularly use 3rd party APIs in the process. This requires the use of API keys and other private data that I'd rather not share. Unfortunately it is all too easy to leave a key in a source code file and accidentally commit it to a public source control repository.