I've created a web application, and now i want to build some REST APIs to make it programmable by third party developers. Then, i want to build some client libraries in some popular languages (JavaScript, PHP, Ruby, etc) to make devs confortable using my service by avoiding them to parse by hand the JSON response of each request.
I've never built an API infrastructure before, so i have the following question. I'd like to track the usage of the APIs methods called by third party developers. Each developer, before consuming the APIs, must be registered and so i want to associate each request to the registered developer (and so, set some specific usage limits, etc).
I thought to create an unique api key for each developer that he could use into all his apps, to authenticate the requests. But then i realized that if he decides to use my javascript wrapper, then malicious users could view the source code of the cli开发者_如何学Cent app page and grab his api key. So, i decided that it would be better to create a unique api key for every application, associated to the domain where the client app would be hosted. So that even if a user grabs someone else key, then it would be useless outside the domain where it was originally registered. But then i thought: what about mobile apps? What happens if the call is made not from a website? How can i authenticate the key through its domain if there's no domain or the IP address is not static?
Any tips?
Thanks!
Marco. Not sure you're still working on this, but just in case: If your main goal is tracking the usage of the API coming from different sites, you're right to assign a unique API key per developer. However, in the case of JavaScript, the request will not be coming from that developer; it would be coming from the end-user's computer (assuming you're using JSONP to get around the same-domain policy in JavaScript). You might be able to enforce your domain restriction using the HTTP_REFERER (i.e. you get a request from 1.2.3.4.comcast.net, but its HTTP_REFERER is www.developer.com) but obviously a determined malicious user could spoof that REFERER.
Another option might be to avoid JSONP and make the JavaScript library come with a local proxy. That way the AJAX calls would go from the user's browser to the developer's server (validated with a session cookie/crumb), and then the developer's server contacts your server (which can be easily IP restricted and/or use strong auth).
Hope that helps.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论