I have an ASP.Net MVC3 web application written in C#.

I have one ActionResult that has been designed to return a Json result so that it can be called asynchronously by a webpage using JavaScript. The action is basically as follows:

public ActionResult FindSomething(string search)
{
   var result = GetSearchResult(search);

   return Json(new { @Result = result }, JsonRequestBehavior.AllowGet);
}

Then in one of the web pages I have some JavaScript (using JQuery) to get the data.

What I want to try and do however is to restrict access to this FindSomething Action so that only my website code can get access to the result. As it stands anybody could call this Action from a web browser.

Any ideas on some options for me to get this done?

It should be noted that there will be no login to this website so no authentication can be done that way. And I do not want to have anything in the html source code relating to a password approach.

Why I want this:

The FindSomething method actually calls a third party service, which is paid for using credits. So in effect, the number of calls, the more it costs.

My concern is, if someone knows about this URL and wants to use the same service then they could query it by our URL and avoid the charge.

I am not sure if this 3rd party service has even consider this, they offer a couple of ways to interact with the service. One through a web service which I can call via server code (which I am doing) and one through some inline javascript references – the latter of which requires hard-coded license key in the html source :S

…it may be worth me hitting them up for an answer, but regardless of how I get around this flaw in the service, it still makes for an interesting question here on SO