Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Api Authentication

  • Please log in to reply
No replies to this topic

#1 KamakaZ


  • Members
  • 739 posts
  • Gender:Male
  • Location:Victoria
  • Local time:12:26 AM

Posted 31 August 2012 - 12:19 AM


I'm working on an API/web service for a local company. They currently make a desktop business management package. They are looking for a way to "share" the data that is currently stored in local databases at client sites with mobile/web/desktop "apps". I have been tasked with the job of firstly creating a transport method for the data (up and down) and creating the API.

I have spents weeks on weeks researching best practices/what not to do, but have found myself stuck on one problem, authentication.

I looked into OAuth but am not quite sure how to implement it. I've looked at Facebook, Twitter and other social media API's for idea's. The only thing I have decided on is that it's going to be written in PHP, use a MySQL database, return JSON or XML data and have a RESTful structure.

As the some of the data they have is sensitive, payroll such as employee payslips, while other data not so much, eg description of a stock item, I am looking for a way to allow any "app" to retrieve the stock description, but limit the payslip information to "verified" users/apps. With some apps may be entirely written in JavaScript, viewing app ID's and secrets wouldn't be hard and easy to forge, eg: could get access to another clients data. I can't limit the access based on domain as I've read that this is also easy to forge in the HTTP headers.

There's no place like
There are 10 types of people in the world, those that can read binary, and those who can't.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users