But that raises the complexity of hosting this data immensely. From a file + nginx you now need active authentication, issuing keys, monitoring, rate limiting...
Yes, this the the "right" solution but it is a huge pain and it would be nice if we could have nice things without needing to do all of this work.
This is tragedy of the commons in action.
Speaking as the person running it - introducing API keys would not be a big deal, we do this for a couple paid services already. But speaking as a person frequently wanting to download free stuff from somewhere, I absolutely hate having to "set up an account" just to download something once. I started that server well over a decade ago (long before I started the business that now houses it); the goal has always been first and foremost to make access to OSM data as straightforward as possible. I fear that having to register would deter many a legitimate user.
Yeah, I totally get it. In an ideal world we could just stick a file on an HTTP server and people would download it reasonably. Everything is simpler and happier this way.
There’s a cheapish middle ground - generate unique URLs for each downloaded, which basically embeds a UUID “API” key.
You can paste it into a curl script, but now the endpoint can track it.
So not example.com/file.tgz but example.com/FCKGW-RHQQ2-YXRKT-8TG6W-2B7Q8/file.tgz
Yeah, but everyone knows that one. ;)
Everyone also knows the API keys that are used for requests from clients (apps/websites/etc.). ;)