将REST API锁定到一个应用程序.如何? [英] Locking down a REST API to one app. How?

问题描述

我有一个小型的基于页面浏览器的应用程序，该应用程序使用REST API.通过短寿命的基于令牌的系统对用户进行身份验证.

I have a small one page browser based app which consumes a REST API. Users are authenticated via a shortish lived token based system.

我可能会对此进行扩展，以包括也将使用相同API的移动应用程序(本机或混合).

I'm likely going to expand this to also include mobile apps (either native or hybrid) which will also consume the same API.

我确实有一个顾虑-我如何锁定"我的API，以便只有我的应用才能使用它?

I do have one concern though - how can I 'lock' my API so that only my apps can consume it?

换句话说，我该如何阻止其他人构建使用我的API的应用程序?

In other words, how can I stop someone else building an app that uses my API?

推荐答案

您需要某种身份验证，并且如果要进行身份验证，则需要使REST API使用HTTPS.基本身份验证通常很合适.您的应用程序将具有凭据，但人类用户则不会.这还将使您可以向客户或希望使用您的API的人提供凭据.

You need some sort of authentication, and if you're going to do authentication you'll need to make your REST API use HTTPS. Basic auth usually fits the bill nicely. Your apps will have credentials, but your human users will not. This will also allow you to give credentials to a customer, or somebody who wishes to use your API if you would like.

这篇关于将REST API锁定到一个应用程序.如何?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！