Is JSONP only meant be used for completely public APIs?

Question

Hi,

I've developed an API with WCF Data Services which exposes my website user's data.

The data hosted there belongs to each user and is not public, so the API is secured with API keys which are unique to each client and http header or GET parameter based authentication.

Now I am wondering if I should enable JSONP on my API. It seems that it would make mash-ups much easier, but on the other side I've seen blog postings like the following, which seem to suggest that JSONP is per se insecure:

http://robubu.com/?p=24

Am I understanding something wrong, or is JSONP indeed only meant for public API's?

Thanks,

Adrian

Answer 1

JSON(P) is simply data format and I think that it's wrong to talk about security of JSON. Security should be considered in context of transportation and interpretation of information that is packed in JSON.

Informations can be encrypted before they are packed in JSON format or whole JSON messages can be encrypted. Security is then based on the strength of the encryption and JSON can be used in insecure enviroment.