PHP REST API client verification

Question

I am working on building an API Based Architecture on PHP.

I want to make sure that the client that attempts to consume my API using a distinct API key, is the authorized client. For example, API Key "ABCD1234" is assigned to domain "example.com". If domain "fraud.com" tries to use this API Key, they should NOT be able to consume the API. How do I implement this check on the API end?

Based on what I have seen so far, it is very easy for a client to pass a referrer header to "fake" it's true identity.

Also I faintly remember when Google Maps had first launched their API, they implemented a similar technique where only the authorized URL could use the corresponding API Key. So this does not seem out of the realm of possibility.

Any help/direction would be appreciated.

Thank you,

-Saf

Answer 1

In a server-to-server scenario, there's very little you can do with domains, because there aren't necessarily any domains involved. It's just an incoming (HTTP) request originating at some IP. That IP does not necessarily have to be tied to any host entry in the DNS system. The best you can do is to require your clients to register allowed IP addresses. Reverse DNS solutions are infeasible for various reasons, not least because they require the client to properly set up reverse DNS, which may not be practical.

If the use case is browser-side, you can use a Google Maps approach in which you require the client to include a script from your server, which checks the location of the current page in the browser. Even that is not entirely temper proof though, as anything client-side. Checking the HTTP Referer server-side is an option as well, but is easily subverted as well by anybody who really wants to. In combination it can make it difficult enough so most abusers would be deterred.