This is pretty standard when fetching entire complex objects from many backends. You get the full object with all of the fields the authorization layer allows you to see.
Something like "GET /reservation/<id>" would rarely require you to specified the 50 fields that you would like included in the response. Many offer fields to explicitly filter for specific things, but the default is almost always to return the full object as much as the caller is allowed to see.
You shouldn’t arbitrarily include or exclude information. The response to a given input should always be the same output, and not depend on what API key you are calling with.
It's not arbitrary. It's based on authorization levels for object properties/fields. If you haven't encountered this it's likely that you haven't spent much time working on a system with many different distinct classes of actors.
Developing a different getUser API for 20 different caller types does not scale.
I agree. Using API key to determine what kind of information is returned is a strange solution. It would effectively mean that if the airline is developing an application that has multiple levels of users (airline employees, customers, admins) it would need to store and use multiple API keys to retrieve the data.
Ofcourse, real solution here is that the airline software should not just pass along everything it received from Amadeus but rather that they should convert it and return only the relevant subset. This would avoid these type of issues.
Well unfortunately that's just not how the real world works. In most production systems you are going to end up with a bunch of fields that aren't visible to regular users. There ends up being a whole bunch of roles that need access to different levels and instead of implementing separate APIs for every user type, you just mask out the fields a specific type isn't allowed to see.
This is frequently called property level authorization or field level authorization.
You're just wording it in an indirect way to make it seem like something different. It's not "Using API key to determine what kind of information is returned", it's "hiding sensitive fields based on permissions".
Something like "GET /reservation/<id>" would rarely require you to specified the 50 fields that you would like included in the response. Many offer fields to explicitly filter for specific things, but the default is almost always to return the full object as much as the caller is allowed to see.