0

I'm building an external API endpoint that will send email notifications to subscribers. When a subscriberID (50 characters) and a message string is passed to the endpoint, the service will send out a message via email to the subscribers email address. Due to the nature of the service it cannot be locked down by IP address or a certificate file or use OAuth2. A third party will be hitting this endpoint with messages to send out to subscribers.

There are currently 100,000 plus subscribers, what are the odds if a malicious user were to find this endpoint that they could randomly try subscriberIds and find valid ones and start sending them emails given the fact that an ID is 50+ characters long and there are about 100000 valid subscriberIds.

What are my best options for securing this API endpoint? Here are my thoughts so far, either add a api key that only the third party knows and will send on every request and/or generate a token for every subscriber and save it to a database and then on the endpoint require them

Improve this question

1 Answer 1

Reset to default
1

A good solution for securing Web API's is using JWT If you are building your Web API using ASP.NET Core, it's much easier to use it, as it is a built-in feature.

Also, do you have some limitations regarding the number of emails a subscriber can send? It may be a good idea to have a threshold for each user (every minute,hourly,daily,etc), so you can avoid been spammed by a malicious user that has access to your Web API.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.