Click here to Skip to main content
14,239,876 members
Rate this:
Please Sign up or sign in to vote.
See more:
I am working on a web application where I need to pull data from a third party vendor. There are REST APIs written for this which will pull data from the third party.

My Question is: How can i secure these calls? I mean if anyone can get the endpoint then he/she will get the data, I want to prevent this.

one answer could be using authentication and authorization, here I will first send the user credentials and upon successful validation, a token will be returned and this token will be passed in every subsequent request in header.

I have a question in this: IF i have to pass the token in every request in header then i can also pass credentials with every request. Then what is the need for authentication, I can easily pass credentials in header with every request and authenticate.

ALSO, If someone can answer what are the other available options for securing such API calls

Thanks

What I have tried:

IF i have to pass the token in every request in header then i can also pass credentials with every request. Then what is the need for authentication, I can easily pass credentials in header with every request and authenticate.
Posted
Updated 24-Feb-18 6:35am
v2

1 solution

Rate this:
Please Sign up or sign in to vote.

Solution 1

If you pass credentials at each request, then it means that the server would have to re-validate these credentials each time. Given that validating credentials is not free in terms of processor cycles and I/O, that may not be a viable solution, depending on the total charge which the server has to handle.
Whereas the token is constructed from a successful authentication and ensures that a given client has already passed the authentication process. It saves resources and time without compromising the security of your application.
   
Comments
tewary_manish 24-Feb-18 12:34pm
   
IN that case also, token has to be validated everytime..
phil.o 24-Feb-18 13:29pm
   
Yes, but validating a token of a few bytes which can be kept in a map in memory is way quicker than doing a request to a database system and/or coupled with some salt & hash operations.
tewary_manish 25-Feb-18 12:41pm
   
Ok, thanks for the info but still i think its not a good approach. Storing token in memory map again will have its limitation if my token is time bound. Token can also be hacked. Anyways, thanks again for clearing my doubts.

Just wanted to check what are the other options available if APIs are pulling data from a different vendor DB and i want to secure this.
tewary_manish 24-Feb-18 12:56pm
   
What are other options available for security in my case: I am working on a web application where I need to pull data from a third party vendor. There are REST APIs written for this which will pull data from the third party.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100