How to make REST API deployed to heroku accessible only through rapidAPI

Question

Salutations!

I have just completed my first REST API, deployed on heroku, and I decided it would be cool to make $0 a month through rapidAPI.

The rapidAPI testing dashboard passes the tests successfully - with one of their keys being a requirement for an API call.

However when I access the site on a browser or on Postman, there is no need for an API key and therefore no restrictions in get requests.

I have noticed that the test code makes a fetch request to the rapidAPI url for the project but how can I make the heroku url accessible only from rapidAPI?

I know it's extremely unlikely someone will find my heroku app url but it is technically possible.

I appreciate your time and insights.

Answer 1

RapidAPI allows you to add secret headers and/or query string parameters to API requests. The RapidAPI proxy adds these secrets to every request, but are hidden from the API consumers.

Find more details in this page: https://docs.rapidapi.com/docs/secret-headers-parameters

Answer 2

RapidAPI provides 2 security features to support this:

• set X-RapidAPI-Proxy-Secretin the API Dashboard: this token is added in the X-RapidAPI-Proxy-Secret HTTP header for each request. You should validate this for every API call. This is the default measure in place.
• the list of IP addresses used by RapidAPI is provided: you can check/validate for every API call.

There might be Heroku Addon to help with the IP filtering, but those are typically enterprise-plugin (with associated cost).