Hi All,
I have an API service written in asp.net core (netcoreapp:1.1).
This service has the responsibility to receive HTTP requests, then to retrieve information asked by the client and send them back (if found) through Json or xml.
What I need to do now is to add an authentication to restrict accesses: my first idea was to create a DB only for this service and put "ID, Username, and Password" in, only for "allowed" users.
But, I looked to some major API services, like Facebook and Google, which allow the user through a KEY generated for "Developers".
I'm wondering, once I have this key and put it into the HTTP header, isn't then easy to other people to see that Key and make a request with the same outside the context of "trusted" applications ?
Let's say I assigned a key to my partner, he uses this key to get some info from my DB for his business.
Someone else can now "borrow" that key from the header - let's say his employee- and use that key to make requests from his personal projects.
Can someone describe me how much safe this method is? and how much reliable is?
Or even if I have completely confused its operation?
Thanks