Reputation: 11776
How to protect my API service from api-keys piracy
I would like to roll my own REST API with a simple service. I would like to have three basic plans which will differ in terms of available req/sec.
Is there an easy way to prevent key switching? Let's say someone bought "enterprise" api-key and send it to others? Now others have access to "enterprise" level features without actually paying for this service.
Of course I will implement some kind of rate-limiting but that's not the point. I just want to make API available to people who actually purchased API-keys.
Thanks in advance!
Upvotes: 2
Views: 521
Answers (1)
Reputation:
There is no way to do this using only API keys. You could try to do something like only accepting certain API keys from certain IP addresses, but there is a whole slew of issues with that. The only way to do this reliably is to force your clients to authenticate.
You can do this with username/password, where they need to send those to you to verify and you can check to see if that username has access to the plan/service. You can also do this with mutually-authenticated SSL where you issue self-signed client identity certificates to your clients and they use them to authenticate when they connect to your services and you can then do a lookup to see if that client has access to the plan/service. Note that you'd need to implement SSL in either case, as you don't want username/password going over standard HTTP.
Upvotes: 2
Related Questions
- Protect a public API
- How to protect an API Key when using JavaScript?
- How to protect API?
- Protect your API key from being stolen or abused
- Is it possible to secure public api keys?
- Secure my API with an API key
- Protecting API Key in a JS application
- How to securely use api key
- Best practive to keeping API keys from being commited?
- Protecting my REST service, which I will use on the client side with APIkey