It's more of a general question, but What is the recommended way to protect APIs used in SIGN UP processes? Let's say there is these public APIs (No user credential required, only API KEYs);
find_person(Data about the person trying to sign up), returns if a person already exists or not (no user credentials required AND no sensitive information returned).
create_person(Data about the person trying to sign up), creates this person into the system (no user credentials required)
Can we have "anonymous" users that have a short-lived JWT token? For example, how can the SPA Web application or Mobile application securely obtain a "per-session" anonymous user? Are Captchas actually helpful in this scenario?
We are already considering:
API KEY for every application (not per session)
Rate limiting
DDoS services to protect the APIs
Any help would be much appreciated.
Check this for reference
Thanks
@Harold123 wrote:
It's more of a general question, but What is the recommended way to protect APIs used in SIGN UP processes? Let's say there is these public APIs (No user credential required, only API KEYs);
find_person(Data about the person trying to sign up), returns if a person already exists or not (no user credentials required AND no sensitive information returned).
create_person(Data about the person trying to sign up), creates this person into the system (no user credentials required)
Can we have "anonymous" users that have a short-lived JWT token? For example, how can the SPA Web application or Mobile application securely obtain a "per-session" anonymous user? Are Captchas actually helpful in this scenario?We are already considering:
API KEY for every application (not per session)
Rate limiting
DDoS services to protect the APIs
Any help would be much appreciated.Check this for reference
Thanks
Any suggestions ????