1

I'm building a service that provide some readonly information that is going to be used in multiples websites, some with login and some public.

I dont want to make the api public to any website so I'm not sure what auth method i should use. I have some ideas but I don't want to reinvent the wheel.

I was thinking on have the backend of this sites request a token to my server using a secret/password/private_key then they should pass this token to their front end and pass it with each request to my server(their front end will comunicate directly with my API)

Improve this question

2 Answers 2

Reset to default
2

If your public non-authenticated API is accessible by your site, there's no way to stop other people from consuming this API and stealing your data.

You can stop other websites from directly taking data from your API (by not using CORS headers), but if your website is showing data from your API publicly, then assume anyone else can.

If your business relies on not being possible, rethink your business model. If data appears on the screen of a random user, it means that user can take that data and put it somewhere else. It's how the web works.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

I totally agree with @Evert. Having said that, there are some ways you can use to make public API accessible to some and not to all. It will not be perfect, and using some kind of API tokens will be a better solution most of the time, but it might suit your needs.

First of all you can use firewall rules and allow connections from certain IPs only. Simple and will work as long as the source IPs do not change.

Another idea you can use: look at youtube and how private videos work. There is a secret in the URL. With enough entropy you can build publicly accessible URLs this way which can be used to share a simple link with friends, but will be hard to guess by others. There are drawbacks to this technique. You may only allow people to share their content this way, as they have always the rights to make the link public by pasting it into their tweeter/yt/other.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.