I created a web application and now I want to create some REST APIs to make it programmable by third-party developers. Then I want to create several client libraries in some popular languages (JavaScript, PHP, Ruby, etc.), to make devs confortable using my service, avoiding them manually analyzing the JSON response of each request.
I have never built an API framework before, so I have the following question. I would like to track the use of API methods called third-party developers. Each developer must be registered before using the API, so I want to associate each request with a registered developer (and therefore set some usage restrictions, etc.).
I was thinking of creating a unique api key for each developer, which he could use in all his applications to authenticate requests. But then I realized that if he decides to use my javascript wrapper, then malicious users will be able to view the source code of the client application page and grab its api key. So, I decided that it would be better to create a unique api-key for each application associated with the domain in which the client application will be hosted. So, even if the user captures another person’s key, then it will be useless outside the domain where he was originally registered. But then I thought: what about mobile applications? What happens if the call is not from a website? How can I authenticate a key through my domain,if there is no domain or the IP address is not static?
Any tips?
Thank!
source
share