0

Possible Duplicate:
Restful API authentication recommendation?

I'm writing an API in PHP and it opted to use Respect/REST.

This is not a public API, ie, only authorized client applications can consume there. And this is where I would like some idea of how to guarantee the security of information that the API handles. The client applications can be written in any language, but as I said, they should be allowed to use the API.

At the moment I'm writing a test client for this API using jQuery.rest.

My doubts are:

1) How to ensure that only authorized clients can access the API?

2) How to ensure that every request made to the API has been authorized client?

Community
  • 1
  • 1
Maykonn
  • 2,738
  • 6
  • 33
  • 51
  • You need a token (or probably a different token for each client) and a handshake. – Joe Green Nov 22 '12 at 16:20
  • My concern is when a client JS, and this makes a request to the API using your token and a user that client copy that token and use in another application and this consumes my API as if it were an application authorized. Via SOAP token that would not be displayed in Firebug for example. How to avoid this? – Maykonn Nov 22 '12 at 16:57
  • Anything you do in JS by definition reveals the necessary access credentials to the user, no way around it. I'd suggest to use a different authentication mechanism there, most likely standard cookies and authorized sessions. Use the registered token method only for non-browser clients. – deceze Nov 22 '12 at 17:15

1 Answers1

2

one of the most common approach its using oauth, but its not the only way.

Try to look resources at apigee they have useful free ebooks and webcast about api servers and authentication.

The first maybe will cover your doubts, the other are just to learn a little more about server API's

Also take a look at their videos and webcasts

norman784
  • 2,201
  • 3
  • 24
  • 31