Many of you have probably built public websites/apps or mobile apps that use an API. This usually means that the API also has to be public, i.e. anyone can just fire up HTTP request with curl or Python or whatever and get the same access as your website. Sometimes this is fine, but sometimes you would like to keep the data for yourself and only have people use it through the website.
I had this exact problem. I wanted to have a public website with no logins etc. but at the same time, I wanted to keep the data and not have someone use my API. I searched around, but couldn’t find any viable solutions. Until implementing my own Base64 encode/decode something clicked.
Security through obscurity
“Security through obscurity” can mean many things. In general, in my opinion, it means securing something by making it invisible or making it so hard to use/discover that it is “secure”. In this example, we will make our “key” both hard to discover and use, and thus providing some security for our public API. I’m sure the same principle could be used to secure the API some other way too.
The solution
All kinds of API keys, “normal” auth methods etc. are ruled out as anyone could just inspect the request and get the key. Something like rate-limiting by IP…
