All geek questions in one place

How can I restrict the public API?

I have an algorithm that receives input and provides output that I would like to use as an API for developers. To prevent a denial of service attack and excessive overuse, I want to limit speed or protection. What are my options? Do I provide accounts and API keys? How does it even work? And what other ideas are possible for this scenario?

+4
source share
3 answers

Accounts and API keys really sound like a good idea if nothing else stops people other than your reputed developers who can access your API.

It should be fairly simple to have a simple database table that logs the last time a particular API was accessed, and was refused reuse if it was accessed too many times over a given period of time. If possible, come back the next time the API is available for reuse in the exit, so developers can throttle accordingly, instead of going for a trial and error approach.

Do you expect the same data to be used over and over again, or will it be completely random? How about caching output and cache maintenance only to the developer until the API is ready for reuse? This approach is much less dependent on accounts and keys.

+4
source

API keys can definitely be a good way, there is also openAuth ( http://oauth.net ) if you are scripts in which end users will access the service through applications created by third parties.

If you don’t want to independently encode speed limits / key management, you should take a look at http://www.3scale.net/ , which makes many of these free out of the box as a service (plus other materials, including the developer's portal, billing, etc. .d.). As a disclaimer, I work there, so I may have some bias, but we try to make it as simple as possible!

I have to add, there is a PHP plugin for 3scale that you can put in your code, and this will allow you to use all the speed limits, etc.

+3
source

other options that are slightly less complex due to accuracy use an ip address. obviously, this is easier to overcome, but for a regular user who does not know what an IP address is, it works. Also easy to set up.

it all depends on the complexity of the application and the amount of time you got to do it in

+1
source

Source: https://habr.com/ru/post/1338328/

More articles:


All Articles