Hacker News new | past | comments | ask | show | jobs | submit login

He talks about wanting to charge for the API. If the javascript on your public website directly calls your (otherwise paid) API, how can you avoid exposing the credentials it uses which are unmetered?



I recall some functionality in a PHP framework I was using that allowed you to make API calls on the server side through use of a class or function. It was something like

    $user = $api->GET('/accounts/the_user');
which would process the API call without actually making a separate HTTP request. Would this accomplish it?


You could make sure that the requesting page is on your domain.


It's trivial to use a proxy to modify the referral headers.


Make the calls to the API over HTTPS.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: