2

My architecture consists of a front end server and a backend/API server. The API is accessible to the end user, however I want the front end server to be able to access certain routes of the API that aren't accessible to the end user (higher privilege).

This question has 2 parts:

(1) I need to use API keys for the end user. What's the best practice to do this?

(2) How does the front end play into the API Key system? The client will need to log into their account to access these elevated privileges available from the front end. (such as enabling webhooks)

My application is hosted on Google Cloud App Engine Standard env and I'm using node.js 10. It would be awesome if anyone had any suggestions relating to this architecture.

I know this question is somewhat general but I've spent a few hours looking around online and my question isn't so much how to use API keys, nor how to authenticate frontend, but rather: what is the best practice to do these two together?

Thanks, Nikita

Improve this question

1 Answer 1

Reset to default
2

JWT (https://jwt.io/introduction/) can help with this. You can include API key as well as JWT in the request header. Some services accept API key as a URL parameter but putting such sensitive data in header is a better approach.

JWT can be stored in the cookie when the user authenticates and can be transferred with the request to the server.

The server can use API key for authenticating and decode this JWT using the key available in the server environment for authorizing access as decoding this JWT can reveal the type of user and hence aid is figuring out what level of access is required.

A straight-forward approach used with multiple variations. You can start with the basic version and keep adding layers/features progressively.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Awesome, I saw people recommending this, but its good to know that this is the correct approach for my API as well. Thanks!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.