Make PHP API private


#1

Hello,

Currently I am having problems with the console. You can see the API url with the API key in the Chrome inspector when making an API call to my own PHP API. I need to know how I can make my API private, so only my app can use the API.

I hope someone can help me!


#2

I think if you build your apps for production you are not able to debug your apps that easy.

But thats a topic i tried to find a solution, but for apps it is very hard to do it.
The only thing you can do is, to indentify your app via request-headers or build an authorization mechanism.
Like someone starts the app --> needs to generate an generic authkey build via user-agent string and all meta data like browser, os and so on. So you can identify a device with that key.

For cordova apps you can use the unique UUID of the device!

THis key has to be sent with every other api call.

If someone steals the key --> he needs to know full user-agent info of the device.
But then he could call the authentication request on his own and so on…

SO you only can make it not that easy to avoid unwanted request to your api


#3

I’d suggest a JWT token system for PHP with application login / registration.

Add the requirement that all API calls are through HTTPS and you have additional security that way.