Protecting my REST service which I will use on client side from others to use

Topics: Web Api
Oct 21, 2011 at 1:14 PM
Edited Oct 21, 2011 at 1:19 PM

Let's assume that I have created my service smoothly and I am returning json results.

I also implemented API key for my users to communicate for my service.

Company A starts using my service. I give them an API key.

Then they created an HttpHandler for bridge (I am not sure what is the term here) in order not to expose API key. (I am also not sure it is the right way.)

For example, lets assume that my service url is as follows : 

www.myservice.com/service?apikey={key_comes_here}

Company A is using this service from client side like below : 

www.companyA.com/services/service1.ashx

then they starts using in on client side.

Company A protected the api key here. that's fine. but there is another problem here. somebody can still grab www.companyA.com/services/service1.ashx url and starts using my service. what is the way of preventing others from doing that?

Oct 21, 2011 at 2:03 PM
Is your ApiKey changing?

if not it should. Company A should still be logging into a system, in which you return an apikey after a successful authentication. Hold the apikey somehow and give it some type of expiration. eg. Have it expire every 24 hours. Depends on how Company A and other clients will be utilizing your api. Then they can use the apikey to get, post, put, etc.
I am not saying this is a fix all but at least, it should point you in a direction.
Thank you,
Jake Kapp



On Fri, Oct 21, 2011 at 8:14 AM, tugberk_ugurlu_ <notifications@codeplex.com> wrote:

From: tugberk_ugurlu_

Let's assume that I have created my service smoothly and I am returning json results.

I also implemented API key for my users to communicate for my service.

Company A starts using my service. I give them an API key.

Then they created an HttpHandler ashx file for bridge (I am not sure what is the term here) in order not to expose API key.

For example, lets assume that my service url is as follows :

www.myservice.com/service?apikey={key_comes_here}

Company A is using this service from client side like below :

www.companyA.com/services/service1.ashx

then they starts using in on client side.

Company A protected the api key here. that's fine. but there is another problem here. somebody can still grab www.companyA.com/services/service1.ashx url and starts using my service. what is the way of preventing others from doing that?

Read the full discussion online.

To add a post to this discussion, reply to this email (wcf@discussions.codeplex.com)

To start a new discussion for this project, email wcf@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com