0

I and a friend are building an API with a web front end. The web utilizes the API via Ajax requests to interact with the back-end. We would like to offer limited access to the API for people not using the website (you must pay a fee to use the API), but full unlimited access to anyone on the website.

Now the problem: We are struggling to identify which API call comes from where. Since the website uses JavaScript for the calls, the request appears to come from the user's IP. We thought about using unique tokens for each call or signing the calls, but JavaScript would expose the methods and keys used in both cases.

We are emphasizing on security, so we are searching for a robust solution.

Thanks in advance!

Camilo Hernández
  • 13
  • 4
  • Have you looked at OAuth2? Both you and the paying API users should use OAuth2. You're basically both consumers of your own API. – Evert Mar 11 '20 at 04:30

1 Answers1

0

We ended up settling for middleware in the login written in PHP. It generated an additional token valid for 24h and stored it in the cache. All requests made from the website utilize this token, so if it is not present then the request didn't come from said website.

The downfall is that you could theoretically fake the request by taking the token from the cache and use it elsewhere, but it would require to update the token manually every day.

Camilo Hernández
  • 13
  • 4