Can I use IP addresses to limit API access

I have a mini API that is only for an app I have built. The API service is on a separate domain to my app. I make jsonp calls to it and receive json in return.

Therefore I only want my app to be able to a开发者_JAVA百科ccess it. Can I just list a series of IP addresses for my app and allow them? Is there a better way to stop requests from anyone else to my API?

The best way to implement IP-based filtering would be at the web-server level. Here's a brief introduction to access control with Apache. If that happens to be your web-server.

If the IP stays the same throughout time, yes this is a valid idea. Another way would be with an id and a key, if you expect further usage from other (dynamic) ip adresses.

What operating system is the API service running on? If it's Linux, look into iptables to only allow a certain IP to access a specific port.

Honestly, I wouldnt go with an IP based solution. While it may work in the short term, it will make things hard in the future. For example, what if your ip provider decides to do a reset? Most likely (unless you have explicitly established the need for static ip with your provider) your ip will change. Then your program will error and you wont know why (or worse, you wont know that a computer is now disconnected). Furthermore, if you want to add machines, think about managing 1000 ips....yikes! The 'right' way of doing this would be to authenticate the machines using some other scheme (user/pass, pki, etc.)