In bookmarklet.scala in develop, the application key is shown in the JS. This is a serious security issue, unless we have a way to assure only sites trusted 100% for <anything> in Medici (even to administrate) can view the bookmarklet. As i don't think any sites should have rights that elevated, i believe the key has no place in JS code.

The way API AJAX calls are done elsewhere is by using authentication by browser-side cookies given to the user by securesocial when the user logs in. We most likely need to put in place a mechanism in the bookmarklet code such that when the bookmarklet is loaded:

1)The user is somehow connected to securesocial in the Medici instance and prompted to login (if the user doesn't have a login cookie already). Securesocial then returns the user's cookie (if the login is successful) just like when accessing regular Medici pages from the browser.
2)The API AJAX calls in the bookmarklets are done without the key, using cookie-based authentication, like the rest of the API AJAX calls.