'Monitor frontend API usage

I'm creating a Django API where websites can request data from my API. As this service is paid per use I would like to monitor how often each website requests data from my API. Since requests to my API happen via the frontend (so a javascript function is called on button click that request the data) it is not possible for me to use an id in the request, since this token could be read by anyone and reused. How do other services validate users like this? The Google Maps API for instance. I was thinking of using RSA to encrypt the websites ID and a timestamp that could be used in the request parameters.

apisecurityauthentication


Solution 1:[1]

You can try the OAuth2 Authorization Code Flow with PKCE. It uses a code challenge/verifier pattern to avoid having to send secret keys. It was designed for mobile apps which securely store the client secret and was subsequently also recommended for single-page apps which also can't keep them secret.

See auth0.com's write up on PKCE

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 mbakereth

Related Questions

Secure cookies flag always getting lost in first session after resetting IIS

How to show or hide contents of an aspx page based on current user's roles

protect images on webpage from being copied/saved?

Getting error "403 - Forbidden: Access is denied" on browser when user is NOT administrator

Disable SSLHandshakeException for a single connection

SSL certificate error for IE users only

How to access HttpContext and Request in RequireAssersion?

Send Public key(generated as seckeyref in iPhone) to server(in Java)

The EXECUTE permission is denied on the user-defined table types?

cannot commit or push using egit (guess: issues with secure storage area)

Authorisation in microservices - how to approach domain object or entity level access control using ACL?

Adding nonce value to @Scripts.Render ASP.Net MVC razor pages with NWebSec

SSL Java java.io.IOException: Invalid keystore format

preventing abuse of API service usage

Protecting or Licensing a Django Application