Return to Answer

You need several types of protection.

Firstly, you need to prevent Site A's key from being used on Site B.

In theory, if the key is bound to a domain, though you cannot depend on the referer header, because you're client is embedding a script directly, you can depend on the document.location client-side (assuming the risk of client's using modified browsers is acceptable). Sending that location (or portions of it) to the server directly is unreliable; but you can use it to generate a session key.

1. Client embeds client_key in request for API library.
2. Server determines host that has access to the API, if any.
3. Server picks "salt" for a session key and sends it to the client with the library [or as part of another pre-auth exchange].
4. Client calculates a session_key using hash(document.location.host + session_salt).
5. Client uses session_key + client_key for an API call.
6. Server validates the call by looking up the client_key's host and "salt" in the session, computing the hash, and comparing to the provided client_key.

Secondly, you need to impede Hacker Hank from opening the Chrome console on Site A and doing whatever he wants.

Note though, that it's very difficult, if not impossible, to prevent Hacker Hank from abusing the API. But, you can make it more difficult. And the most reasonably way to impede Hank, that I'm aware of, is rate limiting.

• Limit the number of requests/second/session and requests/hour/session. (Spikes in activity are probably reasonable, but not sustained above-average traffic from a single client.)
• Limit the number of sessions/IP/hour.
• Limit the number of requests/IP/hour. Allow spikes, but not sustained heavy traffic from a single IP.

Thirdly, as you're likely already doing: encrypt the traffic. Sure, the NSA will see it; but Hacker Hank is less likely to.

You need several types of protection.

Firstly, you need to prevent Site A's key from being used on Site B.

In theory, if the key is bound to a domain, you can't depend on the referer header, but because you're client is embedding a script directly, you can reasonably rely on the document.location on the client-side. Sending that location (or portions of it) to the server directly is unreliable; but you can use it to generate a session key:

1. Client embeds client_key in request for API library.
2. Server determines host that has access to the API, if any.
3. Server picks "salt" for a session key and sends it to the client with the library [or as part of another pre-auth exchange].
4. Client calculates a session_key using hash(document.location.host + session_salt).
5. Client uses session_key + client_key for an API call.
6. Server validates the call by looking up the client_key's host and "salt" in the session, computing the hash, and comparing to the provided client_key.

Secondly, you need to impede Hacker Hank from opening the debug console or using a modified client on Site A to do whatever he wants with your API.

Note though, that it's very difficult, if not impossible, to completely prevent Hacker Hank from abusing the API. But, you can make it more difficult. And the most reasonably way to impede Hank, that I'm aware of, is rate limiting.

• Limit the number of requests/second/session and requests/hour/session. (Spikes in activity are probably reasonable, but not sustained above-average traffic from a single client.)
• Limit the number of sessions/IP/hour.
• Limit the number of requests/IP/hour. Allow spikes, but not sustained heavy traffic from a single IP.

Thirdly, as you're likely already doing: encrypt the traffic. Sure, the NSA will see it; but Hacker Hank is less likely to.

You need several types of protection.

Firstly, you need to prevent Site A's key from being used on Site B.

In theory, if the key is bound to a domain, though you cannot depend on the referer header, because you're client is embedding a script directly, you can depend on the document.location client-side (assuming the risk of client's using modified browsers is acceptable). Sending that location (or portions of it) to the server directly is unreliable; but you can use it to generate a session key.

1. Client embeds client_key in request for API library.
2. Server determines host that has access to the API, if any.
3. Server picks "salt" for a session key and sends it to the client with the library.
4. Client calculates a session_key using hash(document.location.host + session_salt).
5. Client uses session_key + client_key for an API call.
6. Server validates the call by looking up the client_key's host and "salt" in the session, computing the hash, and comparing to the provided client_key.

Secondly, you need to impede Hacker Hank from opening the Chrome console on Site A and doing whatever he wants.

Note though, that it's very difficult, if not impossible, to prevent Hacker Hank from abusing the API. But, you can make it more difficult. And the most reasonably way to impede Hank, that I'm aware of, is rate limiting.

• Limit the number of requests/second/session and requests/hour/session. (Spikes in activity are probably reasonable, but not sustained above-average traffic from a single client.)
• Limit the number of sessions/IP/hour.
• Limit the number of requests/IP/hour. Allow spikes, but not sustained heavy traffic from a single IP.

Thirdly, as you're likely already doing: encrypt the traffic. Sure, the NSA will see it; but Hacker Hank is less likely to.

You need several types of protection.

Firstly, you need to prevent Site A's key from being used on Site B.

In theory, if the key is bound to a domain, though you cannot depend on the referer header, because you're client is embedding a script directly, you can depend on the document.location client-side (assuming the risk of client's using modified browsers is acceptable). Sending that location (or portions of it) to the server directly is unreliable; but you can use it to generate a session key.

1. Client embeds client_key in request for API library.
2. Server determines host that has access to the API, if any.
3. Server picks "salt" for a session key and sends it to the client with the library [or as part of another pre-auth exchange].
4. Client calculates a session_key using hash(document.location.host + session_salt).
5. Client uses session_key + client_key for an API call.
6. Server validates the call by looking up the client_key's host and "salt" in the session, computing the hash, and comparing to the provided client_key.

Secondly, you need to impede Hacker Hank from opening the Chrome console on Site A and doing whatever he wants.

Note though, that it's very difficult, if not impossible, to prevent Hacker Hank from abusing the API. But, you can make it more difficult. And the most reasonably way to impede Hank, that I'm aware of, is rate limiting.

• Limit the number of requests/second/session and requests/hour/session. (Spikes in activity are probably reasonable, but not sustained above-average traffic from a single client.)
• Limit the number of sessions/IP/hour.
• Limit the number of requests/IP/hour. Allow spikes, but not sustained heavy traffic from a single IP.

Thirdly, as you're likely already doing: encrypt the traffic. Sure, the NSA will see it; but Hacker Hank is less likely to.

In theory, if the key is bound to a domain, though you cannot depend on the referer header, because you're client is embedding a script directly, you can depend on the document.location client-side (assuming the risk of client's using modified browsers is acceptable). Sending that location (or portions of it) to the server directly is unreliable; but you can use it to generate a session key.

1. Client embeds client_key in request for API library.
2. Server determines host that has access to the API, if any.
3. Server picks "salt" for a session key and sends it to the client with the library.
4. Client calculates a session_key using hash(document.location.host + session_salt).
5. Client uses session_key + client_key for an API call.
6. Server validates the call by looking up the client_key's host and "salt" in the session, computing the hash, and comparing to the provided client_key.

You need several types of protection.

Firstly, you need to prevent Site A's key from being used on Site B.

In theory, if the key is bound to a domain, though you cannot depend on the referer header, because you're client is embedding a script directly, you can depend on the document.location client-side (assuming the risk of client's using modified browsers is acceptable). Sending that location (or portions of it) to the server directly is unreliable; but you can use it to generate a session key.

1. Client embeds client_key in request for API library.
2. Server determines host that has access to the API, if any.
3. Server picks "salt" for a session key and sends it to the client with the library.
4. Client calculates a session_key using hash(document.location.host + session_salt).
5. Client uses session_key + client_key for an API call.
6. Server validates the call by looking up the client_key's host and "salt" in the session, computing the hash, and comparing to the provided client_key.

Secondly, you need to impede Hacker Hank from opening the Chrome console on Site A and doing whatever he wants.

Note though, that it's very difficult, if not impossible, to prevent Hacker Hank from abusing the API. But, you can make it more difficult. And the most reasonably way to impede Hank, that I'm aware of, is rate limiting.

• Limit the number of requests/second/session and requests/hour/session. (Spikes in activity are probably reasonable, but not sustained above-average traffic from a single client.)
• Limit the number of sessions/IP/hour.
• Limit the number of requests/IP/hour. Allow spikes, but not sustained heavy traffic from a single IP.

Thirdly, as you're likely already doing: encrypt the traffic. Sure, the NSA will see it; but Hacker Hank is less likely to.