I am using symfony 5 and LexikJWTAuthenticationBundle to authenticate users. everything works and I receive the token but I would like to ensure that only my mobile application can access the API. is it possible to secure the api with a key or a hash in addition to the JWT? Thank you.
Asked
Active
Viewed 103 times
1
-
Not really. Google has some tips: https://cloud.google.com/docs/authentication/api-keys#securing_an_api_key . Make sure to rate-limit the API key, restrict its scope and also enforce usge by authenticated users. – GACy20 May 03 '21 at 08:48
-
Simply don't issue JWT tokens to anyone else but your mobile app - i.e. better perform whatever validation rules you imagine at that time once than performing them all on each request. Also make sure to use TLS for all the API calls where Authorization header is sent to prevent the leak of the token. – mkilmanas May 03 '21 at 11:57
-
thanks for your reply and that's exactly what i want to do but i can't find anywhere in the documentation how to only allow users of my app to access the api. for now all API urls (apart from login_check) require a token which I receive after authentication. is it possible to add a control on the login_check so that it only accepts requests from my app? thank you. – ventomachine45 May 04 '21 at 07:23