5

Is there any ways to secure the api response with jwt or any other method but without authentication (login page) so that only owner site can have access to the api. All the methods and tutorials I saw on google was based on login system with jwt.

As an example, if I have rest api like:

router.get('/api/posts', (req, res) => {
 var body = ... // get some via database
 res.json(body);
})

Then I want to consume this only by my site: example.com. And most importantly without authentication (login system)

Improve this question
5
  • Using a GUID as a URL parameter could be a route you look into. Commented Oct 31, 2016 at 18:31
  • I didn't understand Commented Oct 31, 2016 at 18:41
  • Just pass some kind of identifier as a header in your http request then check for it on the API Commented Oct 31, 2016 at 18:46
  • A GUID is a unique key that gets generated. So, if you want to use something instead of a login, you can generate the GUID and use that as your "key". Meaning, someone would hit the url of "www.yoursite.com/GUIDgoesHere". The guid is the key that unlocks the data. Just make sure that nobody else gets the guid that isn't suppose to see the data. Commented Oct 31, 2016 at 18:46
  • According to this post. Don't rely on custom headers. billpatrianakos.me/blog/2013/09/12/… Commented Oct 31, 2016 at 18:58

1 Answer 1

Reset to default
1

First of all, every API request must go through https.

Then you can "secure" user-specific APIs by giving each user a unique token which must be sent at every request. It is as well possible to check the host or useragent of the user which requests the API and allow only specific custom useragents (depending on your needs).

Other than that: If you need a JSON response while the user is logged in on the same server, you can check if a given cookie or session is set and can be related to that one specific user.

If you do server to server requests for that API, you could check if the server hostname is valid and matches the one(s) who are allowed to have access.

You can as well use encryption to secure your API response (here as well: depending on your needs). If this is true, you can use a private/public key encryption similar to GPG/PGP. Of course, only the one who should have access to the API should be allowed to decrypt the response.

GUID (Globally Unique Identifier) may be an option if you don't care if anyone could find out the path to your API. GUID URLs could look like this:

example.com/api/v1/c9a646d3-9c61-4cb7-bfcd-ee2522c8f633

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

I have a site which just consume the json api without user login.
Then set a cookie for every user which is allowed to access the page. Somehow you need to know if the user is allowed or not to see the API response, even without login. Probably by checking the IP address or hostname?
This post mentions don't rely on IP Addresses: billpatrianakos.me/blog/2013/09/12/…
@AshishRawat I did mention other ways beside IP addresses. It all depends on how you want to recognize that the user is allowed to see the API response. You can check if the user recently ( < x seconds) visited your site, save that request in your database and then allow him to see the API response (based on a session which will be updated at every request for example)
that info can be passed on as the JWT's payload, no?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.