cancel
Showing results for 
Search instead for 
Did you mean: 

How to protect public APIs (no credentials) from being exploited?

It's more of a general question, but What is the recommended way to protect APIs used in SIGN UP processes? Let's say there is these public APIs (No user credential required, only API KEYs);

find_person(Data about the person trying to sign up), returns if a person already exists or not (no user credentials required AND no sensitive information returned).
create_person(Data about the person trying to sign up), creates this person into the system (no user credentials required)
Can we have "anonymous" users that have a short-lived JWT token? For example, how can the SPA Web application or Mobile application securely obtain a "per-session" anonymous user? Are Captchas actually helpful in this scenario?

We are already considering:

API KEY for every application (not per session)
Rate limiting
DDoS services to protect the APIs
Any help would be much appreciated.

Check this for reference 

Thanks

Harold123
Member
1 REPLY 1


@Harold123 wrote:

It's more of a general question, but What is the recommended way to protect APIs used in SIGN UP processes? Let's say there is these public APIs (No user credential required, only API KEYs);

find_person(Data about the person trying to sign up), returns if a person already exists or not (no user credentials required AND no sensitive information returned).
create_person(Data about the person trying to sign up), creates this person into the system (no user credentials required)
Can we have "anonymous" users that have a short-lived JWT token? For example, how can the SPA Web application or Mobile application securely obtain a "per-session" anonymous user? Are Captchas actually helpful in this scenario?

We are already considering:

API KEY for every application (not per session)
Rate limiting
DDoS services to protect the APIs
Any help would be much appreciated.

Check this for reference  

Thanks


Any suggestions ????

Harold123
Member