I do happen to think something standalone for desktops wouold be good, soemthing that allows hosts to make queries on already existing clients they are suspicious of, if you wanna do that it'd be great because I'm pretty much out of time ...
There's a bit of a problem though with having a desktop application ... the way API keys are validated might interfere. You might have to proxy requests through a script on the server that validated the API key and return data from it to the desktop to get around it ...
When I first read that I was a bit confused on what you meant. I took a look at the stuff you have up on the site and I get it now. Using a hostname based lookup will completely screw up any chances of it working under a normal circumstance. I suppose it could be setup with a mirrored server passing through the requests - but at that point would it perhaps be easier to create a different system for requests through the desktop client?
2 things I could see:
a) General desktop client uses a readonly dynamic API key. No information can be submitted, only lookups can be performed.
b) If you have a hosting server, you can install a proxy script onto it that the desktop client can register with and act through. In this case, the client would then send its requests through the proxy script on the host's server, which appends the API key it has to the request, and then returns the results back down to the client.
I think this might be a decent idea, it limits the true use of the system still only to those who are in the hosting industry - limits the ability to abuse the system through spamming random crap through the desktop client - since they will need a server with a hostname to send anything up to the server. It still allows them to view things however, and a service could always be setup on the web to allow auxiliary login for authorization to send stuff to the service, if you catch what I mean - whether this is handled on the HI server directly or via a mirror is up for discussion.
I'm headed into college next week, so things are a bit busy trying to prepare and whatnot, but I'll see if I can whip something together sometime over the next couple of weeks.
--
As a sidenote, were you planning on writing an interface to the service viewable at the webaddress - a login type system?
IE: Host A wants to do a manual check but doesn't have the script installed on his server. He can just go to hostinquest and login with his API key (and password for this purpose) and then use the web interface to view/submit things.
I think I get the overall verification of API vs hostname, it keeps the possibilities of abuse to a minimum, and having a web/desktop interface to the service with more than just read-only access is something that could be abused unless handled properly - I'm not sure if/what you had planned in this regard.