API Key from client visible to all?


#1

Hi,

I wish to create an API server that will provide json data to be consumed by my ember app. However, there may be other third-party clients too so I want to do something like issue them a ‘client-id’ / ‘API-key’ combo so that I can rate-limit them etc.

However, since my own website will also be making calls to this api server, my API-key will have to be on the client side, which presumably other can inspect and use.

What is the design pattern to allow third-party apps to register with me and require a client id/API -key, without exposing it on the client side.

Or am I missing something here?

thx Jim


#2

You will need to have the server encrypt your API-key before using it on the client and loading it there using some kind of loadEncryptedAPIKey() function.


#3

@jimmyislive you might want to check out JWT’s. They work pretty well for this scenario, especially if you need to share any data (in a tamper resistant way) in addition to the key.

See: http://jwt.io/


#4

I’ve recently been doing some work around this the last couple days, these two articles were handy. Basically doing this purely client side is not really very secure.

http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/

http://alexbilbie.com/2014/11/oauth-and-javascript/