How to secure my API, if I want to use it on a different server

Hi,

I already had a similar topic someone time ago (How to use Security Provider with a Server Connect Action from another site)

Brian helped me a lot with this. After reading the following article https://restfulapi.net/security-essentials/ I think I should do more to secure my API.

@George, @Teodor, @patrick what do you recommend how to secure an API if there is no possibility to use sessions?

Thanks a lot for your help.

Marcel

Hi,

So just as an idea on how I would do it if i could not use sessions. also, i’m guessing here that you mean the server side sessions.

Have a key that needs to be present in the request to authenticate each request, without this key nothing can be done/executed. And getting this key could be gotten by an endpoint which takes username and password to return this key. Which is also kept in a db for x amount of time(which you purge after set x time), so you can use it to compare it with the key from the requests made, if it is present you continue the request and if not you stop it.

Basically you create your own session handler but utilizing your DB and your API endpoints and some db scripts to purge sessions.

FYI: This is just a basic idea that quickly came to me and there is zero risk assessments made on it, I have the benefit that my work it contained within a domain, so i don’t have to worry about external factors and only internal, which makes it a bit easier:)

Regards,

Nick.

Thanks @pheaxx for sharing your idea. I will try to figure out how to do this. I had the hope that there would be a solution by the Wappler Team :slightly_smiling_face: