Restrict APP REST API for users with account and capabilities

admin管理员组

文章数量:1122826

I am building a Web Application, I use WordPress/Gutenberg for the front-end. It works well, but I want to add a way for the users who have a WordPress account to use my Application REST API, what would be the proper software architecture to achieve that?

Note that I am not referring to the WP headless REST API, I am referring to a REST API I developed. I want to prevent users without WordPress account users to use it. Currently, my back-end server don't have any notion of user/role, I saw that I may use WordPress capabilities. I saw that multiple websites provide the user a "API_KEY" or something like that, while I understand how to generate such magic number, I am not sure how it is implemented. I can imagine a database on the backend side with the list of autorized keys, then provide the WordPress user a single key, is it as simple as that?

My concern is that if the user login, access the page, check the API with Firefox Debugger, then he will able to "reverse-engineer" and call the API without being logged.

本文标签： Restrict APP REST API for users with account and capabilities