We want to embed an ajax style service into a number of our websites each with a unique api key. The problem that I can see is that because the api key is stored in the javascript file the user could potentially take the key, spoof the http referrer, and make millions of requests to the api under that api key.
So I am wondering how Google prevents Analytics spoofing? As this uses almost the same idea.
I'm also open to other ideas, essentially here is the process.
SiteA -> User <-> Ajax <-> SiteB
EDIT - is there any way to protect the API from being abused while having it called via ajax?