On a oneoff dyno inside heroku (EC2) I can trivially show that API results are cached. Please, add header: cache-control: private, max-age=0, no-cache Really do also allow API keys to be sent via 'authentication' header, that way this would never have been an issue. There is many good reasons to use 'authentication', notably most caches and proxies does the right thing. Like don't cache and don't log the contents of that header to anywhere. See also bug 1216799.
Commits pushed to master at https://github.com/mozilla/mozillians https://github.com/mozilla/mozillians/commit/0ec09f394b95baf1e548460d91fb1f9d428c9103 [Fix bug 1227293] Do not cache API v2 responses. https://github.com/mozilla/mozillians/commit/9340e9e915974cee09bb9a8d9809d3c0c24f2e08 Merge pull request #1289 from johngian/1227293 [Fix bug 1227293] Do not cache API v2 responses.
Although there is a cache-control header, it has max-age=0 which is different from no-cache. Since the API reflects any changes in the profiles immediately and the never_cache decorator  in Django adds the 'no-cache' and 'no-store' in version 1.8, which is already in a PR , I am marking this bug as verified.  https://code.djangoproject.com/ticket/13008  https://github.com/mozilla/mozillians/pull/1315