2

Let's assume that I have created my REST service smoothly and I am returning json results.

I also implemented API key for my users to communicate for my service.

Then Company A started using my service and I gave them an API key.

For example, lets assume that my service url is as follows :

https://api.myservice.com/data?apikey={key_comes_here}

Main problem is that I will have my own web site that also needs to call my own same REST web service. If I pass API key from my web site when I call my own REST service what will stop someone to use for example Firebug, see what API key I am using in my web app and use same API key ?

Radenko Zec
  • 7,659
  • 6
  • 35
  • 39

1 Answers1

1

The method Google uses in eg. Google Maps is to link the API to a URL. So you can only use the supplied key in applications from the URL specified when you requested the key. This is especially usable in web applications, where you can get the referrer url at the server.

Espen Burud
  • 1,871
  • 10
  • 9
  • This sounds very good, but what if I need to expose access to my web service from mobile device ? – Radenko Zec Dec 28 '11 at 08:04
  • @djna the referrer can of course be spoofed, but when you expose a public API for use on websites, users will access the API thru their standard webbrowser. If a normal user must spoof the referer, the website will be unsuable for the majority of users. If the user have direct access to the API, they can always see your API key, even when the site is protected with HTTPS. So, if you would hide the key, I think you should access the service from a backend system. If you want to protect the backend traffic from network sniffers, then you can use HTTPS. – Espen Burud Dec 30 '11 at 12:31
  • I'm not suggestion that normal users should must spoof, rather than we have no protection from an unauthorised and possibly malicious app using the stolen API Key and spoofing the referring URL. The problem here comes from the separation between the application provider and the service provider, the service provider (Radenko) wants to accept requests only from authorised app providers. As you say this is most easily done if the app provider has a controlled server-side proxy subject the same authentication/authorisation as their app itself. – djna Dec 30 '11 at 21:49