Securing API for Single Page Application

ateebshaik
Participant III

Hi

I was trying to explore around securing apigee API's that are to be called from a single page application.

Given that the APIKey which we use to identify the apps can be viewed if the user can download the app or view source while we call the api's . The same would be the case with Access token as the user can get hold of the token. Would be great if someoen can give me more insights or any approach i have to follow to secure my api's

Help or guidance would be appreciated.

Thanks

Solved Solved
1 4 1,276
2 ACCEPTED SOLUTIONS

@Mohammad Ateeb Shaik , Use JWT Tokens. Apigee Edge now has support for same out of the box.

See an article that i came across internet here, https://medium.com/lightrail/getting-token-authentication-right-in-a-stateless-single-page-applicati...

View solution in original post

sidd-harth
Participant V

+1 to Anil's answer. You should go ahead with JWT.

@Mohammad Ateeb Shaik, I would like to share my experience working with JWT in SPA.

  • I have worked on a MEAN Application PoC. Where JWT security was developed using NodeJS modules.
  • Within my SPA(AngularJS) when user login is successful, we create a JWT & store it in browser Cookie.
  • With each API call, we were sending the JWT from the cookie.
  • When a user logs out, we used to clear the cookie.

In our PoC everything was done through NodeJS modules.

In your case, you can make use of Apigee JWT policies.

View solution in original post

4 REPLIES 4

@Mohammad Ateeb Shaik , Use JWT Tokens. Apigee Edge now has support for same out of the box.

See an article that i came across internet here, https://medium.com/lightrail/getting-token-authentication-right-in-a-stateless-single-page-applicati...

Thanks a lot Anil Sagar and Siddharth Barahalikar for your valuable suggestions and guidance would explore more on JWD and the article . Kudos ..

sidd-harth
Participant V

+1 to Anil's answer. You should go ahead with JWT.

@Mohammad Ateeb Shaik, I would like to share my experience working with JWT in SPA.

  • I have worked on a MEAN Application PoC. Where JWT security was developed using NodeJS modules.
  • Within my SPA(AngularJS) when user login is successful, we create a JWT & store it in browser Cookie.
  • With each API call, we were sending the JWT from the cookie.
  • When a user logs out, we used to clear the cookie.

In our PoC everything was done through NodeJS modules.

In your case, you can make use of Apigee JWT policies.

+1, Great Answer & Thank You for sharing your experience @Siddharth Barahalikar , Way to go !!!