How to properly secure exposed APIs?

I have a site where partner websites can allow their users to check if our service is available at the user’s location. Our site saves the search information (zip code, street number, email)

I currently do this with a workflow API.

  1. users enter the search data in a form at the partner’s website
  2. the partner website makes a POST to our /fiberhoods API
  3. that starts a workflow where I save the data in our database
  4. search our database
  5. return the requested information to the partner website

I assign an API token to each partner website.

As I grow the functionality of the site for our own team, I add more API endpoints. Endpoints that the partner websites should not use. However, since each partner website has an API token, that token allows them to run any exposed endpoint as admin.

Should I transition the partner websites to:

  1. OAuth?
    Would that work? From what I understand the users would have to have an account with our website, which will not be the case.

  2. Data API?
    It wouldn’t be possible to save the request data (zip code, number, email), would it? The partner websites would still need an API token if I want to restrict use of the API?

  3. remove authentication from the workflow API
    I can add a required parameter in the API like access_token and create a faux-API token for each partner website. This way they don’t have a real API Token, but the complexity here seems huge.

  4. or another way…?

3 Likes

This topic was automatically closed after 70 days. New replies are no longer allowed.