Do you have any experience working with git/github? The main issue that I'm dealing with it that I don't want to expose some of the server side API that I've written for VGC. I think with little effort I could rewrite some of it to store the API key in a file and just add it to .gitignore. I'd also need to create a few keys for developers to use.
Security through obscurity isn't a thing. If it's just an API key you're hiding, someone could easily sniff that. :-)
Even worse, they have an api with keys, but they "hide" the key in a php file that is used by the app to forward requests to the actual api.
If I wanted to use your api I shouldn't even worry about sniffing a key that you'll disable.
Unfortunately once you expose an API on the web, you can only make it harder for people to use it, but there's no way to hide. You could replace JSON data with HTML scraping, but the performance will decrease dramatically.
Also, you should hash a password before sending it to the api, then check if the created hash matches the one in your database (unless you're storing clear passwords, in 2015).
http://vgcollect.com/api/api.php?action=validate&username=vektor&password=MYPASSWORDINCLEARTEXT
is not safe, use MD5 or SHA.