I wish to create an API server that will provide json data to be consumed by my ember app. However, there may be other third-party clients too so I want to do something like issue them a ‘client-id’ / ‘API-key’ combo so that I can rate-limit them etc.
However, since my own website will also be making calls to this api server, my API-key will have to be on the client side, which presumably other can inspect and use.
What is the design pattern to allow third-party apps to register with me and require a client id/API -key, without exposing it on the client side.
You will need to have the server encrypt your API-key before using it on the client and loading it there using some kind of loadEncryptedAPIKey() function.
@jimmyislive you might want to check out JWT’s. They work pretty well for this scenario, especially if you need to share any data (in a tamper resistant way) in addition to the key.
I’ve recently been doing some work around this the last couple days, these two articles were handy. Basically doing this purely client side is not really very secure.