api


protect API with key in a chrome extension


I have an API endpoint that normally requires an API key header for access. Now I want to use the endpoint in a chrome extension and somehow need to protect access to it. Is there an alternative approach? The API-key won't work since everyone can read the JS files of the extension.
TLDR: How can I make sure only the extension can call the API endpoint.
Here are my thoughts so far:
obfuscation: just makes it a little harder to get the API key
origin header: only allow requests from the extension. However, headers can be easily spoofed with a curl request outside the browser
IP rate limitation: only allow x requests/hour per IP. Can be cicumvented by proxies and might cause issues for users on a public network.
user registration: users register for individual api keys. However, this is not really an option. It would add a huge barrier.

Related Links

REQUEST_DENIED when using the Google Places API
Can Magento pull in USPS “Paid Online” rates rather than “Post Office” rates?
How to Retrieve all possible information about a LinkedIn Account ? (API using C#)
Google Shopping API - multiple store information
In HTTP, does PUT and POST send data differently?
Get informations of a list of venues
I want to get the all the song's tags through Last.fm API by Pylast
Google + What's Hot list
Yahoo news search API [closed]
Using socket.io as api
add-ons/extension, how to program?
Last.fm API: Events venues with empty city
What kind of international code is used for identifying countries like
Endpoint for venue stats (checkins) without auth
getting recommended monitor resolution
Is there a clean wikipedia API just for retrieve content summary?

Categories

HOME
beautifulsoup
search
nvd3.js
ecmascript-6
formal-languages
mjml
case
youtube-data-api-v3
components
oracle-apex-5
newrelic
scripting
google-apps
mips
web-hosting
visual-studio-emulator
jetty
title
modal-dialog
accessibility
spin
32bit-64bit
commonjs
project-intu
endpoint
android-intent
capistrano3
dynamic-sql
microsoft-dynamics-nav
feathersjs
cfml
database-connection
resourcebundle
gpio
genexus-sd
spotipy
errbot
failover
finagle
boost-asio
code-snippets
jett
sammy.js
reactjs.net
sql-delete
mnist
setup.py
mcustomscrollbar
vmware-fusion
sharp-snmp
plr
contract
android-exoplayer
wc
oim
procfile
robomongo
geotiff
lightning
podscms
context-switch
wpas
mach-o
rackspace-cloud
flyout
mathcad
sandcastle
docpad
cudd
reporting-services-2012
pre-build-event
kango-framework
stream-processing
forwarding
dronekit-android
bufferedinputstream
node-serialport
mass-assignment
cosine-similarity
webfinger
paw
nsmenu
jama
build-script
draw2d-js
android-audiorecord
gtm-oauth2
http-patch
kendo-dataviz
away3d
tlf
alice
device-width
robotlegs
extreme-programming
jquery-blockui
veracity
saleslogix
os.system
lambdaj
inkcanvas
relative
ikimagebrowserview
catransform3d
timthumb
cruisecontrol.rb
jqueryform
django-piston
web-application-project
online-storage
blind

Resources

Encrypt Message