I’m trying to figure out the best way to call an external API (hosted on my server) while hiding the API key.
Of course, I can just add the API key in the package, but the user can easily open the .xpi file and see the key. I can also force the user to create an account and sign in, but I’d like it to just work “out of the box”.
Alternatively, would there be a better way to ensure that only Thunderbird users using my addon have access to the API (to avoid abuse)?
Actually there is even simpler way to “track down” the secret key - simply by checking the network requests - and you can’t hide anything there (unless it’s encrypted).
Anyway, I would say, don’t bother with this because there is a good chance it won’t be a problem at all. It’s good that you think about security from the beginning but you may be just wasting your time. Even if someone abuses it, he won’t be able to use it legally so every product that will use it you can report.
And if you feel like you really need something, look for the easiest solution instead - for example limit number of calls from the same IP address. This can be done on a firewall level without any programming.
Also creating an account these days thanks to OAuth 2 can be as simple as two clicks 
.
Fair point, I’ll probably leave it as is. Thanks!