I’m putting together read and write methods to my database and exposing them via URL (I’m using CodeIgniter framework and using URL segments to pass parameters to these methods). The original idea was to have my Ajax script call these methods. However, now I am thinking I could potentially expose these methods to any developer.
What should I do to make sure only authorized developers use my API? I’m thinking they should pass an API key and possibly password to each method call. If I were to provide them with such details, would that be secure enough?
Also, I’m thinking that I should support POST instead of GET as some of the required parameters may not fit in nicely with URL segments. Thoughts?
Implementing OAuth http://oauth.net/documentation/getting-started/ would work for what you’re trying to do. I’m not certain of what type of data you’re securing, but I agree with TradyBlix this probably best. I’ve implemented it before, it’s not too hard to figure out, it’s well documented with many APIs that handle user-data utilizing it.
Another thing you should think about is limiting API Keys to domains, so a developer can only use their API key from their own domain-essentially preventing an unauthorized developer from gaining access, at least without gaining access to an authorized domain and corresponding key.