Hi to all,
I've created a web application, and now i want to build some REST APIs to make it programmable by third party developers. Then, i want to build some client libraries in some popular languages (JavaScript, PHP, Ruby, etc) to make devs confortable using my service by avoiding them to parse by hand the JSON response of each request.
I've never built an API infrastructure before, so i have the following question. I'd like to track the usage of the APIs methods called by third party developers. Each developer, before consuming the APIs, must be registered and so i want to associate each request to the registered developer (and so, set some specific usage limits, etc).
I thought to create an unique api key for each developer that he could use into all his apps, to authenticate the requests. But then i realized that if he decides to use my javascript wrapper, then malicious users could view the source code of the client app page and grab his api key. So, i decided that it would be better to create a unique api key for every application, associated to the domain where the client app would be hosted. So that even if a user grabs someone else key, then it would be useless outside the domain where it was originally registered. But then i thought: what about mobile apps? What happens if the call is made not from a website? How can i authenticate the key through its domain if there's no domain or the IP address is not static?
Any tips?
Thanks!