Reputation: 38900
How to make REST calls secure
I'm calling a webservice using the REST methodology using JSON/JS/jquery and am wondering if there is a way to call the webservice without exposing my API keys in the source code. Anyone know of a way to hide the API keys from the public and still make the call?
I'm worried that if someone goes through my source, they will be able to use my API key.
Upvotes: 6
Views: 3701
Answers (2)
Reputation: 39480
There's no way to send the API keys to the client, and have them be usable, and not have them be exposed. What you more likely want is to have a translation layer, where you allow external (non-validated) clients to make requests against an exposed endpoint, then you use some sort of logic to validate the request, then pass through the request.
API keys are typically for your use as a partner, not for distribution; this is the way to avoid distributing them.
Upvotes: 0
Reputation: 359776
You could delegate the calls to your own server, so instead of:
- Browser sends HTTP request to external REST API, with API key
- External REST API sends response to browser
you have
- Browser sends HTTP request to your server
- Your server sends HTTP request to external REST API, with API key
- External REST API sends response to your server
- Your sever sends response to browser
I'm not sure that someone else "stealing" your API key is a huge problem, though, since API keys (Google, for example) are frequently associated with specific domains.
Upvotes: 10
Related Questions
- Securing API requests from Javascript
- Secure Ajax call On Rest Api
- JSON security best practices?
- RESTful security authorization
- Securing JavaScript API
- How to secure Rest Based API?
- Making AJAX calls secure
- How to protect a private REST API in an AJAX app
- Secure a public REST API
- How to "Secure" AJAX calls?