2

I'm going to create an API service for my clients to use. The api is gonna return some data that will be displayed to the customers using my client's website. The api does not need any kind of user data.

I was thinking to use an api key and use it to return the relevant data. But I want to make sure that only the customers using my clients website should be able to access the api.

My question is if I use the api in the front end and expose the api key anyone will be able to use the api from their browser. I don't want that to happen. How do I authenticate this? If that's not gonna work can I use the api from my server to client server? Even then how will I authenticate the server?

I'm using nodejs and express in the backend. Any ideas? Thanks!

Improve this question

2 Answers 2

Reset to default
2

This is a tricky thing to do; essentially restricting public apis. At the end of the day, the web page is going to be in the user's browser on their local machine. So if they can access it from their browser, then they can access them manually too. An API key is the best approach really, but this only acts as a deterrent more than access control. Pretty much any access control type you put into a browser can be mimicked outside the browser unfortunately.

If you want to go down the route of having users login to some extent you should look into json web tokens (jwt). This doesn't need to be on a user level, and can be on a sort of session level if you prefer. This however won't restrict the user accessing the apis directly.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

If your API is public, without user authentication, then there is no way to restrict the access to it.
There are many workarounds like checking for referer or creating special tokens, but it will all be stored at client-side, and a malefactor can reuse it.

It all does not make sense in general. You have already exposed your API to your clients. Even if you create a working algorithm, a malefactor can simply run your website JavaScript methods to make it work. What are you trying to protect from?

If you to restrict the access to your API, then the most proper and efficient way is to make this API back-end, so that only your webclients at server-side have access to it.

Improve this answer

4 Comments

Thanks!. That makes sense. Even if I make the api backend on the client side, do you know how to authenticate that the request is coming from the correct server? I know that we are not exposing the api key but just to make sure.
@prdtuty If you use server-side approach and your server is located in some sort of internal network, you can simply apply default restriction rules like IP filtering, routing, certificates :) Usually, IP filtering is enough - you have web clients at 192.168.0.1, and you have back-end API at 192.168.0.2, which has only the single port (e.g. 80), available to 192.168.0.1 only.
the requesting server is not located internally. Do you think I'll need to enable CORS in this situation?
@prdtuty CORS has nothing to do with server security - it protects your users. Anybody can still make requests and ignore CORS.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.