How to determine from which domain the api call is made ?

Lets say ,I have an API http://iton-test.apigee.net/xxx/yyy,this api can be called by any number of domains using ajax calls java scripts ect as i am making is accessible to public .What i want to know is which domain is calling my api in every call.I would like to extract that domain name and pass to my backend.It is possible to do that here?

1 3 4,057
3 REPLIES 3

Not applicable

Hi @archana

Yes, there are a couple of options. On a per request basis, Apigee makes multiple variables available in the proxy. One of those is called client.host and contains the the HTTP host associated with the request received by the ProxyEndpoint.

1) You could use Apigee policies to extract this as a variable and then assign it as a header or query param in each API request being passed to your backend targets.

2) You could use Apigee Analytics to get aggregated details on source of API calls.

If I've addressed your question, please click the "Accept" link below or let us know how we can further help.

Hi @mschreuder

Thanks for the help.I did get the client.host using js policy.I also tried to get client.ip .I found it strange that both the variables are showing same ip address. Are they both supposed to be containing same ip then why two different variables?

Hi @archana I don't know why that is, but here's how to resolve it:

One option is to use a reverse DNS lookup, via a callout, using the client IP. They can turn client IPs into domains. I can't recommend a specific provider, but if you do an internet search for reverse DNS lookup you will see some options that you might want to experiment with.

Alternatively, you could request (or even require - you can enforce via your API Proxy) anyone calling your API to have a header or a query param containing their domain. The downside is that could be spoofed / defeated by putting any text in.

A more robust option would be to publish a developer program. Developers would register and they would have separate developer apps. Incoming requests would present their app. You would know which app was from which domain because that would be captured back at the registration stage. While more robust, this is a more complex solution but it also brings additional benefits such as the ability to block or limit anonymous access and also potentially implement monetization of your APIs.