How to Secure an API?

@bugsysha Do you mean sanctum? if yes! how-to, because this API is used by phone app so how to auth phone app?

I think about a token to pass in a header from the app so I can validate this request, but is it the best practices

@msaied that can be sniffed. The best way is to have an account for each of the users using your public API.

@bugsysha Reson of my question is I made an e-commerce website so I don't want anyone has an end-point to get JSON data as example for products i need to secure every thing and save server resources as well

Reson of my question is I made an e-commerce website so I don't want anyone has an end-point to get JSON data as example for products i need to secure every thing and save server resources as well

@msaied Well, guess what? You have to use authentication.

You can’t have an API publicly accessible on the Internet that magically blocks access to every one but a particular mobile app. The mobile app needs to use some sort of authentication mechanism to identify itself so the API can go, “Oh, you’re the mobile app? Cool, I’ll let you access endpoints.”

If you don’t have authentication, then any one can just watch traffic between your server and the mobile app, get the API endpoint URLs, and start making requests themselves.

@martinbean Thanks for your reply, I already use authentication for users, But my exact question is " how to secure connection between the mobile app and my website "

I already use authentication for users, But my exact question is " how to secure connection between the mobile app and my website "

@msaied With. Authentication.

You can authenticate apps as well as users. So you don’t to create some form of authentication mechanism between your mobile app and your API.

@martinbean Thanks!