4

I'm exposing a simple API and need to make sure only authorized users access it. I will be providing an API key to authenticate. However, I also want to associate the API key to a certain domain (meaning, it should only work if it's being used from the authorized domain(s)).

How do I check on the API side if it is being accessed from an authorized domain? HTTP_REFERER apparently is not reliable. Suggestions?

StackOverflowNewbie
  • 39,403
  • 111
  • 277
  • 441

2 Answers2

7

What kind of API are you exposing? There are many different kinds of APIs - I assume you do not expose your operating system's API...

Assuming you want to expose some web application's API, you may take a look at OAuth, which is based on callback URLs - you can just block certain domains from being called through callback URL.

Read more about OAuth.

Tadeck
  • 132,510
  • 28
  • 152
  • 198
  • It's a web application API. OAuth is planned for second version. Any good interim solutions? – StackOverflowNewbie May 29 '11 at 23:28
  • @StackOverflowNewbie If you can not use OAuth now, just employ that specific feature (require auth flow requiring callbacks, like in OAuth). Is it sufficient solution for you at this stage? – Tadeck May 29 '11 at 23:30
  • can you elaborate on what you mean? – StackOverflowNewbie May 29 '11 at 23:38
  • @StackOverflowNewbie What you need from OAuth (and what is pretty easy to implement without implementing full OAuth) is the way callback URLs work. If the way your API is designed requires some information to be returned to some callback URL, you are at home. It will work like that: 1) external app invokes your app with proper params (just to be short, access key and callback URL are a must), 2) you decide whether specific callback URL is within domain you allow access to your app, 3) you either call the specific callback URL with some additional data (eg. request token) or do not call it, – Tadeck May 29 '11 at 23:45
  • this requires that the client application is callable, which may not be true if it is a browser-based javascript. – Dennis Kreminsky May 29 '11 at 23:53
  • @DennisKreminsky: Yes, but if it is not available under some specific domain, then it is a lot harder to limit access based on the domain, don't you think? – Tadeck May 07 '12 at 23:00
0

HTTP+SSL is a complex protocol set that supports certificates for both server and the client, and probably could be used in this case, but somehow I feel this would be an overkill.

Dennis Kreminsky
  • 2,117
  • 15
  • 23