I’m building an embeddable javascript library that my users can put into their web apps and serve it to their visitors.
The visitors can engage an action on the library, that triggers some data going back to my server.
How do I authenticate the library without leaking credentials to the visitor? Is an access control list locked to the domain the recommended solution, with no credentials exchanged at all?
I took a look here at this question and it seems to be suggested as an outlandish solution: How can I validate/secure/authenticate a JavaScript-based POST request?
If you take a look in other API engines most of them use an API key (Google for example).
I guess, an API Key is just a generated value by the server system, that encondes the credential in a non reversible way.
This together with, for example, the domain of the document host (that can be retrieved by your library reading the host header that is sent when requesting the page) is what can be used for authenticate in your server.
In other words: Encoded credentials (API Key) + domain locked sent by your library to the server.