Should we mask API keys?
As an authentication token, an API key is pretty much functionally identical to a password.
Does it follow then that we should mask the API key, when it is entered in a settings dialog?
The reason NOT to mask it might be that it's not typically easy to remember through the 'shoulder-surfing' approach, so the utility of being able to easily compare the first few digits to some other key copied from a file somewhere might outweigh the security benefits of obscuring it.