Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a web service I’m offering to users to tap into my applications database and get some info. Users have to register for an API key and provide that when making requests. Everything works fine but how do I check if the users who registered for a key is actually making the request and not somebody else who he might have given the key to?
I’ve been thinking for the last two days to come up with a solution but nothing so far.
You need to use signed requests. Basically it works like that:
To avoid replay attacks, you can also add nonces and timestamps into the mix. A nonce is simply a number that must be incremented by the client on each request. When you get the request, you check if you’ve already received this nonce/timestamp before. If you did, you reject the request (because it’s most likely a replay attack). If not, you store the nonce/timestamp in your database so that you can look it up later on.
This is more or less how requests are signed in OAuth. Have a look at their example in the link.