Virtual Private Network
Several partners require VPN setup to call their APIs. Interestingly, these are primarily TELCO companies. Our theory is that, TELCO companies prefer VPNs because they are more experienced in networking solutions rather than software solutions.
Shared Secret
We have shared secret with a number of partners, which is basically a string similar to a password. If the shared secret is to be sent with the remote API, the transmission is over SSL.
A better approach does not transmit the shared secret itself, but transmits a hash of the shared secret together with other parameters that the receiver will verify for authenticity.
Callback Verification
A third approach requires us to register one of our URLs with the partner. When the partner receives our API call, they call us back on the registered URL. We return yes, verified, and then they process the request.
Whitelisted Domain
Some partners whitelist our domain or IP addresses and won't server requests from domains or IP addresses that are not whitelisted.
Combination of the Above
Several partners implement some combination of the above.
Among all these approaches, shared secret provides the most flexibility as it allows us to call APIs from any server, including developer machines, which really speeds up developer testing. Perhaps this approach is also the most vulnerable.
No comments:
Post a Comment