If done in a way similar to Google's API, then ripping a key wouldn't matter much since the key is limiting. The client-side applications wouldn't directly access the webservice API, rather the client-side app provider would be an intermediary. Client apps query the host provider and that host queries Wikipedia's API. If the client app provider wants to support more than 1000 queries per day (Google's limit), then they'd need to pay for more queries. Can't be ripped anyway since the key lies with the provider, not the client.
On Wikipedia's side, the implementation and intermediary APIs and architecture don't matter. Just implement user key webservices API with query limits, and you're done.
- MHart - http://taxalmanac.org