I Have seen alot of sample where the API key is hard coded into, unless you are building a desktop there is no need to do this. Facebook provides the API key, and the session key in the iframe url. Your application should retrieve the keys from the url, this makre your code more portable.
Url Variables:
- fb_sig_api_key
- fb_sig_session_key
- fb_sig_ss
UPDATE – 9/10/10
With the new changes to face book app, make sure that you go into the advanced setting and check canvas session parameters.