How to secure basic methods like user creation in an API

Question

I'm learning about developing APIs with rails, but I can't find how to secure the base methods like user creation. Let's say I have a rails backend API and a frontend mobile app. I want the app to be able to make API calls to create a new user. Off course, not everyone should be able to create a new user, so it should have some kind of authentication. I could use basic or digest authentication (doesn't really matter, because I'll definitely use SSL), but then I would have to hardcode the credentials into my app. If the credentials are discovered somehow, I would have to change them, but that would mean that all instances of the app are no longer authenticated and they can't create users anymore.

The things I would like to have:

1. Only my apps should be able to use the user creation calls.
2. It should be easy to change the credentials, or the credentials should change automatically over time. If they would involve the date and time for example, it would be harder to crack.
3. It should be impossible (or VERY hard) to beat the system behind it, while having knowledge of a couple of the credentials over time.

Would it be possible for example to let my apps generate public and private key pairs at random and use them? What's the standard way of securing these calls?

Thanks in advance,

Rugen Heidbuchel

Answer 1

I could share my own experience:

• https protocol communication with API. That is your last sentence about private/public keys, all is built in into https.
• Doorkeeper (we combine it with Devise) gem for Oauth (github accounts in my case) as authentication, while you can use pairs of user/passwords instead.
• CanCanCan gem as authorization (User creation restriction is about authorization and not authentication)

Set of that three tools should provide essential security level for your API. I believe cancancan could be under discussion, while devise is mostly industry standard.