I’m asked to write a Web API for an application (pc executable, not web-app) that will allow sending emails.
A user clicks something, the app communicates with the API which generates an email and sends it out.
I have to make sure noone unauthorised will have access to the API, so I need to make some kind of authentication and I haven’t got an idea how to do it correctly.
There will be more applications accessing the API.
First thought was – send username and password, but this doesn’t solve the problem really. Because if someone decompiles the application, they’ll have the request url and variables including user/password or simply it can just be sniffed.
so… what options do I have?
I’m fairly sure secure connection (SSL) is not available to me at the moment, but still, this won’t help me against the decompiling problem, will it?
EDIT
I haven’t said that initially, but the user will not be asked for the username/password. It’s the application(s) that will have to be authenticated, not users of the application(s).
I would recommend you check out OAuth. it should definitely help you out in sorting out the security issues with authorizing tools to access your API.
http://oauth.net