Secure API calls from partner website

Question

At the company I'm working for we're building a system that needs to allow for API calls from the users website.

This is what I have thought so far:

1. The user register their website with our system.

2. The system generates a token that will be put in a file on the user server (or something similar) in order to verify that the website is owned by the user.

3. The user presses a verify button that will make our system check that the token is present at the predefined location.

4. If the token matches with the one saved in our database the website is verified and the server informations such as IP and domain name are saved in the database in order to allow the requests to the system API.

What are the alternatives in order to allow API calls from the user's website in an easy way for the user? Anything that can be done to improve and secure this flow?

Answer 1

The workflow we ended up using is the following:

1. The user registers their website on our platform and its IP address is fetched and saved.
2. The app generates a website API user and a verification code.
3. From this moment the website is allowed to log in as the website API user by using the authorization code that should be copied and saved on the client server.
4. The client server, once logged in, receives back a JWT that can be used to make additional requests.

Hope that this may come in handy to other people to.