I might me wrong, as I am very new to API Key fundamentals. Please correct me if I am wrong.
I have a JavaScript
front-end, and a backend application in PHP
(can be any technology). I want to expose some API from the backend application for AJAX. So that a third party developer could use my API from their application without worrying about the actual implementation on backend.
I will expose an API Key to the developer, so that whatever request he makes from his application, uses the API key and I can keep a record of which API key is accessing the application.
As it is an AJAX call to the server, he has the API key stored in the JS file that I'll give.
The Question is: If someone would use seek into the JS file he has, one could easily get the API key which was designed for some other application. How should I implement this in a secured manner.
Can anyone help.?
Plain javascript is not possible to hide from the end-user since the end-user is the one executing the code.
You can use obfuscated javascript but then again there is always the possibility of reverse-engineering.