You shouldn’t arbitrarily include or exclude information. The response to a given input should always be the same output, and not depend on what API key you are calling with.
It's not arbitrary. It's based on authorization levels for object properties/fields. If you haven't encountered this it's likely that you haven't spent much time working on a system with many different distinct classes of actors.
Developing a different getUser API for 20 different caller types does not scale.
I agree. Using API key to determine what kind of information is returned is a strange solution. It would effectively mean that if the airline is developing an application that has multiple levels of users (airline employees, customers, admins) it would need to store and use multiple API keys to retrieve the data.
Ofcourse, real solution here is that the airline software should not just pass along everything it received from Amadeus but rather that they should convert it and return only the relevant subset. This would avoid these type of issues.
Well unfortunately that's just not how the real world works. In most production systems you are going to end up with a bunch of fields that aren't visible to regular users. There ends up being a whole bunch of roles that need access to different levels and instead of implementing separate APIs for every user type, you just mask out the fields a specific type isn't allowed to see.
This is frequently called property level authorization or field level authorization.
You're just wording it in an indirect way to make it seem like something different. It's not "Using API key to determine what kind of information is returned", it's "hiding sensitive fields based on permissions".
