How does Google Analytics prevent traffic spoofing

Question

We want to embed an ajax style service into a number of our websites each with a unique api key. The problem that I can see is that because the api key is stored in the java

Answer 1

At a guess, I'd say the key is one half of a public-private key pair that (somehow) includes the URL as a hash. This way, the key will only work, and the hits only registered, if the request is for the URL for which the key was generated. You can't spoof the request, because if you do it goes to the wrong URL and nothing happens.