3

I have been writing my own api for my site, the api will only allow a consumer to read basic information.

Somebody suggested to me that I gave the consumer a public and private API key. The private API key would be for server side scripts such as php so the public can't view it and use it in a wrong way, and then a public key would be for languages such as javascript. For the public api key they told me I would have to check the original source of the request and match it to a url in my database.

But the way I was going to check the URL the request was coming from was by checking the refer, but I know that the referrer can be changed, so this wouldn't be a good idea.

I'm looking for a way to check the referring URL properly which is very reliable. Or could anyone suggest to me a difference way of doing this API?

Frank
  • 1,844
  • 8
  • 29
  • 44
  • I would like you to read some documentation by apigee, they have very powerful tools to create API, just search apigee on Google. – TeaCupApp Jul 29 '12 at 23:06
  • There's no foolproof way. Whatever's in JavaScript can be read and emulated by the user. – Ry- Jul 29 '12 at 23:07
  • @owl it just seems too much for the simple api I am doing. It doesn't need all of that shaboom just for something which does very little. – Frank Jul 29 '12 at 23:12
  • If you're just writing a simple API, you could consider the keys are just passwords that are bound to a specific set of access permissions. – Jay Jul 30 '12 at 11:42

0 Answers0