are the entities and concomitant the data entries generally different for each api key or is this just a security measure where some of the clients aren't authorized to access / change the entities?
If there is a general difference between the data sets each client is getting (client A gets data A and client B gets data B) I'd highly recommend to seperate those into different resources. That implies there should also be different URLs for those resources.
By generating those resources the server has to build up the corresponding URLs and returning them to you, probably '/v1/resources/42' for client A and ' /v1/resources/53' for client B.
After creating those resources the client is responsable to handle application state which means the client has to hold the URL and interact with the resource behind it if required.
By doing it that way you don't have to use the application id inside your API.
On the subject of caches:
If you want to receive the advantages of caching, your API should always indiscriminately carry back the same response for the same GET-requests on a resource (if not explicitely changed) for every client.
By same GET-request I mean a GET request on the same URL using the same media type (consider content negotiation).
That's one of the aspects of self-descriptive messages.
If the cache always gets different responses (for different application ids) how would he be able to cache that data.
By different levels of caches I mean for example proxy-caches on the client side, reverse-proxy- or API-gateway-caches on the server side and probably additional caches on the way between client and server.
There are also application cache like browser cache.
Every mentioned level could further have different levels of caches.
Once your API is caching-able you can take advantage of all those caches without having to change anything.
I'll probably write a thouroughly blog entry on that topic sometime.
Regards
Thomas