0

I am looking for a way to authorize my app's api so that only requests from my app will be accepted.

For example i don't want anyone to be able to send a bunch of request to "/register" to register bot users.

or

Anybody to build their own app that uses my servers to handle accounts or other data.

Tembero
  • 387
  • 3
  • 11
  • Can't really keep others from using the API on the web. If it's open to your app, it's open to anyone. For registration, lots of people use a CAPTCHA to attempt to prove there's a real human interacting with the registration API. For other uses, you can require an account/login on your service and then you regulate how the API can be used with things like rate limiting. There are some obstacles you can use such as requiring a regularly expiring key that is embedded in your web page, but a determined coder can scrape the key. – jfriend00 Jun 03 '20 at 15:35
  • What about using ip based rate limiting? Could that affect the usage of the app? – Tembero Jun 03 '20 at 15:42
  • Rate limiting is generally a good protection to use, but basing it purely on an IP address can cause problems for corporate users behind NAT or behind a proxy (who may share an outbound IP address) so you have to be careful about that. This is why most APIs should require a legitimate account and then you can rate limit based on the account being used. Obviously things like registration can't require an account so you can use other bot detection means such as email verification or captcha. – jfriend00 Jun 03 '20 at 15:49
  • I am currently using JWT for a basic user authentication so maybe base it on that? – Tembero Jun 03 '20 at 18:41
  • Yes, that would make sense. – jfriend00 Jun 03 '20 at 23:25
  • For protecting a registration system include Google reCAPTCHA v3 into your server and check it on server side before allowing a new account registration. For Android the v2 version can be directly integrated into an app. – Robert Jun 04 '20 at 11:48

0 Answers0