Limit REST API access by clients

Question

We develop a mobile application, so we have a REST API(server-client).

Is there a way to limit that only our mobile application can send requests to server through API? So, best will be that server will not accept requests from other clients, maybe it is possible to do that with certificates?

You can have tokens that identify the request and then have a throttle check on it. — Deepak, May 11 '17 at 07:07
http://stackoverflow.com/questions/7238094/securing-rest-api-without-reinventing-the-wheel — knoight, May 11 '17 at 12:06

score 0 · Answer 1 · answered May 28 '17 at 02:56

0

You can check in your web services user agent. If use agents is mobile device and you can generate token for each device and you can identify the requested client..

answered May 28 '17 at 02:56

Dharmesh Vasani

475
2
4
19

1

User agents are easily spoofed. Checking provides no security. – Mike Taverne May 28 '17 at 03:06

score 0 · Answer 2 · answered May 28 '17 at 03:57

If you use SSL you can work with client certificates.

Another option is to use a Client ID and a Client Secret. Use the client secret to sign your client ID within the request.

Use OAuth with the Client Credential grant. This is more or less similar to the above one but more formalised and you can use standard libraries.

Limit REST API access by clients

2 Answers2