API Key实现架构 [英] Architecture of API Key Implementation

问题描述

我可能错了，因为我对 API Key 基础知识很陌生.如果我错了，请纠正我.

I might me wrong, as I am very new to API Key fundamentals. Please correct me if I am wrong.

我有一个 JavaScript 前端和一个 PHP 后端应用程序(可以是任何技术).我想从 AJAX 的后端应用程序公开一些 API.这样第三方开发者就可以从他们的应用程序中使用我的 API，而不必担心后端的实际实现.

I have a JavaScript front-end, and a backend application in PHP(can be any technology). I want to expose some API from the backend application for AJAX. So that a third party developer could use my API from their application without worrying about the actual implementation on backend.

我将向开发人员公开 API 密钥，以便他从应用程序发出的任何请求都使用该 API 密钥，并且我可以记录访问应用程序的 API 密钥.

I will expose an API Key to the developer, so that whatever request he makes from his application, uses the API key and I can keep a record of which API key is accessing the application.

由于它是对服务器的 AJAX 调用，因此他将 API 密钥存储在我将提供的 JS 文件中.

As it is an AJAX call to the server, he has the API key stored in the JS file that I'll give.

问题是:如果有人在他拥有的 JS 文件中使用搜索功能，则可以轻松获得为其他应用程序设计的 API 密钥.我应该如何以安全的方式实现这一点.

The Question is: If someone would use seek into the JS file he has, one could easily get the API key which was designed for some other application. How should I implement this in a secured manner.

有人可以帮忙吗?

推荐答案

普通 javascript 不可能对最终用户隐藏，因为最终用户是执行代码的人.

Plain javascript is not possible to hide from the end-user since the end-user is the one executing the code.

您可以使用混淆的 javascript，但同样总是存在逆向工程的可能性.

You can use obfuscated javascript but then again there is always the possibility of reverse-engineering.

这篇关于API Key实现架构的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！