To ensure a REST API is accessed only by known consumers, client applications use to sign each HTTP request with a secret and then send the resulting signature togheter with the API key to the server.
In case of JavaScript clients the API key and secret are hardcoded in the script itself... so how does this mechanism ensure a client sending the request is really the client it is supposed to be? I'm asking because if the secret is hardcoded in the JavaScript, everybody could look at it, steal the secret, and use it in other applications.
Is there a safer way to expose an API to consumers? I know there are other posts in Stackoverflow covering this topic... but what is not clear to me is how to deal with both consumer authorization and user authorization. In my case, consumer authorization determintes whether or not a third party is allowd to access my API and has nothing to do with business logic, while user authorization is at application level (i.e. after the consumer has been identified and authorized).
After some googling I found this great article and just implemented the solution it describes ;-)