My FeedDiscussionsHeadless CMS
New
Sign in
Log inSign up
Learn more about Hashnode Headless CMSHashnode Headless CMS
Collaborate seamlessly with Hashnode Headless CMS for Enterprise.
Upgrade ✨Learn more

The simplest form of authentication for an API?

Deactivated User's photo
Deactivated User
·May 20, 2016

Imagine a simple API for e.g. a (mobile) web application. I would want the client (connects via ajax) to initially do a handshake and come to some form of authentication, based on a client key. Being a client side app, the key could be grabbed from the application and used in a spoof app.

How would one protect against this kind of spoof? So far I could think of this:

  • connect the key to the domain where the client app lives, so it can be checked per the referrer information. (Is that always available? Or can the referrer info be spoofed also?)
  • have a client side and server side method of encoding, so a hash can be created with the key that only the server and client app can create. (Isn't this easily reproduced because we're talking about a client side app? Just looking at code, or finding the method and using through developer tools?)

What more/other could be done to make sure the real client is talking to the backend?

5