As per discussion on #27, we’re currently using Meetup’s signed URLs:

Similar to OAuth signing, this method of authentication certifies that a request was approved by a particular user. Unlike OAuth-signed requests, key-signed requests may be reused and recycled as long as their corresponding API key is valid. If a signed URL is released to the public, any application can use it to interact with Meetup as if it had that API key; the difference is that it can not change definitive parameters or use the signature against other API methods.

We should probably not be letting other people act on behalf of our API key long term, and instead be storing our API key in an environmental variable.