From that, it looks like any random person can fill up your filepicker.io space providing they have your API key or know the email address you used to register the account with. Made sense when I read a bit more about what filepicker.io actually does (i.e. a client-side embeddable javascript file uploader) but it's something to be aware of (especially if you link your account up to an S3 backend!).
One of the founders, just wanted to reply and say, yes, you are entirely right. We put up that endpoint for a separate purpose, didn't expect people to find it (underestimating people is clearly a bad strategy) and will be locking it down to require a password to create/find a apikey.
In general, the apikey doesn't actually provide very much security as is; by it's public by it's very nature as you have to put it client side and expose it to all your users. We've got HMAC and secret keys in the pipeline for next week :D
Also, isn't it normal to check the referrer when using API keys? That's what Facebook does -- API keys only work from certain domains, which effectively restricts their access. The downside is that you need to maintain separate API keys for every domain (staging, sandbox, etc), but the advantage is that they don't rely on the honor system :P
I hadn't come across filepicker.io before and reading through the geturl code something jumped out at me:
APIKEY = check_output(['curl', '--silent', "%(fpurl)s/getKey?email=%(email)s" % {'fpurl': FPAPIURL, 'email': email}])
From that, it looks like any random person can fill up your filepicker.io space providing they have your API key or know the email address you used to register the account with. Made sense when I read a bit more about what filepicker.io actually does (i.e. a client-side embeddable javascript file uploader) but it's something to be aware of (especially if you link your account up to an S3 backend!).