I have an endpoint that returns JSON, which I use on a site with AJAX.
I want to use the same endpoint from other sites (running on different domains), so I want to convert it into JSONP with a callback.
The data is not sensitive and doesn't need extensive security. However, I want to make it as difficult as possible for other sites to use the endpoint directly in their sites. (I realize that they can technically use almost any internet accessible endpoint through server side code or reverse proxy).
What's the best way to accomplish that?
One idea I had is to add a JWT token as a parameter. The token would be served on sites that use the endpoint. Would that make sense? Is there a better practice to accomplish this?
Using CORS instead of JSONP would give you more control of the json being accessed by websites, however it wouldn't stop servers from accessing the json at all, meaning bypassing it would simply mean using something like YQL to get the data, or their own server.
JWT would however solve that problem, assuming each JWT would expire relatively quickly.