How protect API request made from Flutter Web app?

Question

I have an API developed in PHP for my Flutter web app. I am using this API to fetch all the data. But, I can see all the requests made to the server.

Is there any way to hide/restrict any unauthorized person to use my API? I am using HTTP library to make calls from my flutter app to API. I just want to hide those calls to web API. I have seen some websites do that. Since the server code and website code in those websites are in the same directory it can be accessed directly without having to make a request to the webserver.

Answer 1

Two problems I see are

1. You are able to see all the request made to backend server from your web page and you want to hide them.

The answer to this is No you cant. I say this based on my search in google and some posts in SO like this

You may think about disabling the developers tools. The answer is No and maybe with unknown side effects.

2. Is there any way to hide/restrict any unauthorized person to use my API?

The answer to this question is yes and can be done in many approaches. Like you said token based authorization has its own issue with keys being leaked and thats why there is always validity associated with it and should be considered. There are mechanisms such as refresh tokens to renew tokens etc.

The first and foremost thing I would do is enable CORS mechanism in your sever where the server will only allow request from very specific domains to be processed. More details available here