Hi everyone,
I would like to understand how I can protect my API so that they are only usable by frontend pages and external applications through a key.
At the moment I have seen that if I try to call my API from postman everything works without any type of authentication.
Always add Security Restrict to the top of your APIs. Itās annoying that this isnāt setup by default.
Please vote and comment on this feature request.
As for setting up API keys. There are multiple posts that discuss it. Unfortunately, there isnāt anything built into Wappler as this time, so youāll have to design something yourself.
1 Like
Thanks for the reply but I donāt know how to set this up, is there any example in the documentation?
For the first part of your request. You only need to add the Security Restrict to your APIs when you want to ensure the user has logged in to use/access them.
But I donāt have registered users, I just want my API to be protected by a key for example if it is consumed by an external app
If there are no restriction and registered users then I suppose that this is a public apiā¦
One thing you can do is to add first step inside your api to check if there is a key provided (and if you could check if that key is a āvalidā key it would be better)
So, if there is no valid key, donāt execute the apiā¦
I can use my own key that I insert for example in the environment variables.
I want the APIs to be consumed only by the frontend pages or possibly by my external apps (For example Iām doing an integration with make between linkedin and my lead collection API).
If someone finds an unprotected API they could make endless calls and bring down my server, right?
Iām not the experienced guy here butā¦ I think you should just calm down my friend.
If no sensitive info are behind this api you just check for the presence of a valid key. Let them CALL the api but unless a valid api key is provided not execute it.
I havenāt asked what kind of api youāre making there out of privacy butā¦ is it worth this much protection?
Could employ rate limiting using Cloudflare (available on the free plan) to the path for the requested API and also use Server Connect routing to shield its origin. Be sure to set the correct response for authorised requests and unauthorised alike using a Condition within the Action accordingly.
I think you might be a bit confused around how the server actions work.
In very simple terms, APIs (Server Actions) in Wappler are what lets you pull back end data to the front end (among other things). If you want users to see some kind of dynamic data, youāll probably need to use them.
From what you are describing, an API key wouldnāt be useful, because youād be effectively removing the ability for someone to go to your site and load the dynamic data on the front end.
Someone refreshing really isnāt an issue. Itās just like if you were to keep refreshing any site. If someone tried hard enough, they could take down any site. But what youād more likely have an issue with is API rate limits from linkedin or wherever you are pulling your data from.
Without know what you are exactly trying to build, itās hard to advise, but take for instance you wanted to display your LinkedIn posts on your Wappler created site. One method would be:
- Have a server action that pulls this data from linkedin using the API action, and is set to display the output that you can then display on the front end.
However, thereās probably rate limits on linkedin, so if someone were to constantly refresh an action, youād be constantly pinging the linkedin API to fetch said data which might get you rate limited.
To get around this, you could either implement caching:, or, do it another way:
- Have a schedule action that runs every X amount of minutes (depending on api rate limits) and saves the data to a database. You would then set your server connect action to pull the data from the database instead of directly from linkedin, which would resolve the issue of hitting your rate limit.
This pretty much sums it up and gives a solution for publicly exposed API that is not secured by user authentication.
If a key (header, a hidden form) is not enough, use also a less public domain name (like SupaBase does) and restrict the IPās that can access the server.
1 Like