Perhaps I'm asking for something impossible, but here we go: I'm trying to find a way to authenticate client requests to an API, but some clients can only use JavaScript to send their requests (they use hosted services which don't allow to write a single line of server-side code). This means that any API Key, secret or hash has to be handled by JavaScript, effectively making them useless.
I've seen some APIs using a heavily obfuscated code, but, in my opinion, such approach gives a false sense of security (it can be easily read with JavaScript Beautifier). Is there any better approach?
Thanks in advance for all the answers.
No, JavaScript is open, which means zero security.
The most sensible thing to do is proxy the API through a server you own, then get people to sign up to the server with their keys.
This means even though they can't have any server-side code, it's ok, because your hosting the server for them.