Here is a snippet for testing. Of course the "Plugin" is faster since it's on your system, but you can use the "API" in anything without the plugin.
Example:
#define API_KEY "4lvx237efi923x120"
#define API_PROTOCOL "byond://"
#define API_URL "208.73.201.205"
#define API_PORT "1"
#define API_CONNECTION API_PROTOCOL+API_URL+":"+API_PORT
#define API_EXECUTE(API_PARAMS) world.Export(text("[]?[]&apikey=[]",API_CONNECTION,API_PARAMS,API_KEY))
proc
SHA1() return API_EXECUTE("action=encrypt&method=sha1&string=[url_encode(args[1])]")
SHA224() return API_EXECUTE("action=encrypt&method=sha224&string=[url_encode(args[1])]")
SHA256() return API_EXECUTE("action=encrypt&method=sha256&string=[url_encode(args[1])]")
SHA384() return API_EXECUTE("action=encrypt&method=sha384&string=[url_encode(args[1])]")
SHA512() return API_EXECUTE("action=encrypt&method=sha512&string=[url_encode(args[1])]")
mob/verb/Test()
src<<SHA1("sha1")
src<<SHA224("sha224")
src<<SHA256("sha256")
src<<SHA384("sha384")
src<<SHA512("sha512")
mob/verb/Check_Usage()
var/uses=API_EXECUTE("action=checkusage")
src<<"This API has been called [uses] times for your api key!"
Since this communicates with a remote server and gets a return value, the API is a bit more slower.
The remote server has all the plugin's required so the snippet is just plug n' play like stuff.
Even if I logged the information, it would be sent only from an address that the world is hosted at.
At most, I get nothing out of it. If the string "a golden goblin" was parsed, all I'll get is the hash for it since it's the only value being passed through. Not much to go off of on this.
Only security concern would be for people towards the developers using the API, since they can manipulate whatever data they get, my end is totally clear.