API keys can be easily stolen and distributed. You should use OAuth2 for securing access to your api endpoints expanding objects can lead to security issues. Attackers can run queries that take up significant system resources. Such a query can disrupt your service. Attackers can access sensitive information from a clever join. Otherwise, nice blog post