If you give your master API key to all of your users, they will have the same permissions with your database as you do.
1. Yes, but you should generate more keys for each of your users (or at least for each user group, like Player)
2. Yes. (Assuming the API key is used as a session ID)
3. Authorization will allow you to give each user group fine-grained control over what they .read or .write to.
We're going to assume that Google takes care of the deeper security aspects.
Although, this fellow seems to disagree: https://stackoverflow.com/questions/374 ... the-public
I would still make a separate API key for your users though, just to be safe.