Need help with API security

I am building APIs for a project I am working on. Now these APIs are going to be used by third-parties. And the users are going to use these third-party apps to access their contents which are stored on our servers. To give users access to their accounts (contents) I am thinking of implementing oAuth 2.0.

Now my question is, I also need to restrict access to these APIs. Only a handful of third-parties should be able to use it. I also need to know which calls are coming from which third-parties.

It would be really nice if you guys could guide me toward a solution.

Cronix

7 years ago

Level 67

Have you looked at passport yet? https://laravel.com/docs/5.6/passport

It does a lot of the heavy lifting you'll be wanting, most likely.

2 likes

max88

7 years ago

Level 1

Let me explain the scenario a bit. It's a food ordering system. There are around 12/13 APIs.

The end-user can search for restaurants, foods, filter things etc. without logging in to the system. The login is only necessary for placing an order, see past orders etc. So, for like 10 APIs I don't need the user to login.

10 APIs (need to verify the third-party)
The rest (need to verify the third-party as well as the user)

The oAuth 2.0 solutions I have seen so far, they instantly asks for the users to login which is something I don't want.

It'd be really helpful for me if someone takes the time to explain a possible solution and how all those could fit together.

Please or to participate in this conversation.