Via Michael Tsai, a great article about Operating a Public Facing API by Joshua Stein.
And by Thomas Limoncelli, some API Practices If You Hate Your Customers.
I would add that putting in a rate limiter where you can limit the number of queries sent in a day/week/month is also a very good idea, code has bugs and you want to limit the impact a buggy client has on other clients.
François Schiettecatte's Blog 