-3

How can we safeguard REST API to be accessed only from trusted clients? Let me explain the scenario, lets say there is an API which will be accessed from mobile application MA and web application WA. Besides these two applications, this API should not (and must not) be accessed by any other client.

Key Points:

  • I cannot use token based authentication here, as user is not required to login to application to access (or just read) the information.
  • Embedding any secret information inside the application, to be sent along with the API request, is not secure, as that secret can be leaked (though using SSL) to potential user using reverse engineering.

In this scenario, what is the best way to secure REST API?

Jignesh M. Khatri
  • 251

3 Answers3

2

You can't. This is why you need to have authentication to assume that they're legitimate and that they're authorized to use them.

netrox
  • 136
1

Your going to need some sort of authentication for this. I'd even go as far as to recommend implementing some sort of login system.

The reason for this is simple, there's no way that your API is going to know your clients are trustworthy. It needs some sort of information in order to verify that which ever client is connected is who they say they are. If you can't embed information (you shouldn't anyway), your going to need a login.

Rhys Johns
  • 424
-1

I can't see why you can't implement a token based exchange. You can have an initialization token that starts the communication with the API. This token can be stored in database or however you wish to, and if possible have it change from time to time. Only your client and your server knows of this token, and when it changes.

There's no need for users to be involved in terms of logging in. The token verification can all be done backend without involving user interaction. Everytime your mobile(client) accesses the API with its agreed token, the backend can reshuffle the token, and let the client know what's the new one.

But of course, the security of this is only as strong as the initialization stage. If somehow, there is a way someone could know about the initialization token, they would know the tokens that will be reshuffled from there onwards.

But you get the idea. It is possible. All up to how sneaky you are to design it. There is of course other ways with similar concept.

Desmond
  • 13