https://community.developer.cybersource.com/t5/cybersource-APIs/How-to-protect-public-APIs-no-credentials-from-being-exploited/m-p/82167#M24 <BLOCKQUOTE><HR /><a href="https://community.developer.cybersource.com/t5/user/viewprofilepage/user-id/60217">@Harold123</a>&nbsp;wrote:<BR /> <P>It's more of a general question, but What is the recommended way to protect APIs used in SIGN UP processes? Let's say there is these public APIs (No user credential required, only API KEYs);</P> <P>find_person(Data about the person trying to sign up), returns if a person already exists or not (no user credentials required AND no sensitive information returned).<BR />create_person(Data about the person trying to sign up), creates this person into the system (no user credentials required)<BR />Can we have "anonymous" users that have a short-lived JWT token? For example, how can the SPA Web application or Mobile application securely obtain a "per-session" anonymous user? Are Captchas actually helpful in this scenario?</P> <P>We are already considering:</P> <P>API KEY for every application (not per session)<BR />Rate limiting<BR />DDoS services to protect the APIs<BR />Any help would be much appreciated.</P> <P>Check this for reference&nbsp;&nbsp;</P> <P>Thanks</P> <HR /></BLOCKQUOTE> <P>Any suggestions ????</P> Thu, 14 Apr 2022 14:28:15 GMT Harold123 2022-04-14T14:28:15Z https://community.developer.cybersource.com/t5/cybersource-APIs/How-to-protect-public-APIs-no-credentials-from-being-exploited/m-p/82159#M22 <P>It's more of a general question, but What is the recommended way to protect APIs used in SIGN UP processes? Let's say there is these public APIs (No user credential required, only API KEYs);</P> <P>find_person(Data about the person trying to sign up), returns if a person already exists or not (no user credentials required AND no sensitive information returned).<BR />create_person(Data about the person trying to sign up), creates this person into the system (no user credentials required)<BR />Can we have "anonymous" users that have a short-lived JWT token? For example, how can the SPA Web application or Mobile application securely obtain a "per-session" anonymous user? Are Captchas actually helpful in this scenario?</P> <P>We are already considering:</P> <P>API KEY for every application (not per session)<BR />Rate limiting<BR />DDoS services to protect the APIs<BR />Any help would be much appreciated.</P> <P>Check this for reference&nbsp;</P> <P>Thanks</P> Wed, 13 Apr 2022 15:18:37 GMT https://community.developer.cybersource.com/t5/cybersource-APIs/How-to-protect-public-APIs-no-credentials-from-being-exploited/m-p/82159#M22 Harold123 2022-04-13T15:18:37Z https://community.developer.cybersource.com/t5/cybersource-APIs/How-to-protect-public-APIs-no-credentials-from-being-exploited/m-p/82167#M24 <BLOCKQUOTE><HR /><a href="https://community.developer.cybersource.com/t5/user/viewprofilepage/user-id/60217">@Harold123</a>&nbsp;wrote:<BR /> <P>It's more of a general question, but What is the recommended way to protect APIs used in SIGN UP processes? Let's say there is these public APIs (No user credential required, only API KEYs);</P> <P>find_person(Data about the person trying to sign up), returns if a person already exists or not (no user credentials required AND no sensitive information returned).<BR />create_person(Data about the person trying to sign up), creates this person into the system (no user credentials required)<BR />Can we have "anonymous" users that have a short-lived JWT token? For example, how can the SPA Web application or Mobile application securely obtain a "per-session" anonymous user? Are Captchas actually helpful in this scenario?</P> <P>We are already considering:</P> <P>API KEY for every application (not per session)<BR />Rate limiting<BR />DDoS services to protect the APIs<BR />Any help would be much appreciated.</P> <P>Check this for reference&nbsp;&nbsp;</P> <P>Thanks</P> <HR /></BLOCKQUOTE> <P>Any suggestions ????</P> Thu, 14 Apr 2022 14:28:15 GMT https://community.developer.cybersource.com/t5/cybersource-APIs/How-to-protect-public-APIs-no-credentials-from-being-exploited/m-p/82167#M24 Harold123 2022-04-14T14:28:15Z