How to make secure REST calls

Question

How to make secure REST calls

I am calling the webservice using the REST methodology using JSON / JS / jquery, and I am wondering if there is a way to call the web service without exposing the API keys in the source code. Does anyone know a way to hide API keys from the public and still make a call?

I worry that if someone goes through my source, they will be able to use my API key.

+6

json javascript security rest

locoboy Jul 01 '11 at 20:28

source share

2 answers

There is no way to send API keys to the client and use them, and also not to show them. Most likely, you want to have a translation layer where you allow external (unaudited) clients to make requests against an open endpoint, then you use some kind of logic to validate the request, and then transfer the request.

API keys are usually used for your use as a partner, and not for distribution; this is a way to avoid their spread.

0

Paul sonier Jul 01 '11 at 20:35

source share

Matt ball · Accepted Answer · 2011-07-01T20:32:31+0000

You can delegate calls to your own server, so instead of:

The browser sends an HTTP request to an external REST API with an API key
External REST API sends response to browser

you have

The browser sends an HTTP request to your server
Server sends HTTP request to external REST API with API key
External REST API sends a response to your server
Your server sends a response to the browser

I'm not sure if anyone else is “stealing” your API key - this is a huge problem, as API keys (like Google) are often associated with specific domains.

How to make secure REST calls

More articles: