How can I check if an XMLHttpRequest to my public API is from my own webapp or from a third-party client (to ensure priority)?

Does anybody know of a way of checking on the API side if a XMLHttpRequest has been made from my own web-application (ie. from the JS I have written) or from a third-party application...

The problem, to me, seems to be that because the JS is run on the client and thus accessible to anyone I have no way of secretly communicating to the API server who I am. I think this is useful because otherwise I cannot prioritize requests from my own application over third-party clients in case of high usage.

I could obviously send 开发者_如何转开发some non-documented parameters but these can be spoofed.

Anybody with some ideas?

I would have your web server application generate a token that it would pass to your clients either in JavaScript or a hidden field which they in turn would use to call your API. Those with valid tokens get priority, missing or invalid tokes wouldn't. The web server application can create & register the token in your system in a way that limits its usefulness to others trying to reuse it (e.g., time limited).

If you do approve of third party clients accessing your API, perhaps you could provide them with a slightly different, rate-limited interface and document it well (so that it would be easier to use and thus actually be used by third-party clients).

One way to do this would be to have two different API URLs, for example:

• /api?client=ThirdPartyAppName&... for third-party apps (you would encourage use of this URL)
• /api?token=<number generated from hidden fields from the HTML page using obfuscated code>&... for your own JS

Note that as you mention, it is not possible to put a complete stop to reverse engineering of your own code. Although it can take longer, even compiled, binary code written in such languages as C++ can be reverse engineered, and that threatens any approach relying on secrecy.

A couple of ideas come to mind. I understand that secrets never last, so I agree that's not a good option.

• You could run another instance on a different unadvertised port

• You could do it over SSL and use certs to identify the client

• A simple but less secure way would be to use cookies

• You could go by IP address, but that could be an administrative nightmare