I'm learning APIs with microservies architect. Here is small description about the setup
Client request flow:
Client requesting API1 from microservice1 with JWT token which will be authenticated at API gateway and then information will be served from microservice1. which is fine.
But I've one private API2 which should not be allowed from client side. Only internal applications can use it, but it should be callable upon another request from the client side.
eg.
client request -> /API/Gateway1 (has JWT)
/API/Gateway1 -> API1 (has valid user)
API1 -> /API/Gateway2 (has valid user)
/API/Gateway2 -> API2 (has valid user)
Question:
How can I protect API2 from the client side, what if client fakes the valid user header.
What you want to do is prevent API2 from accepting outside traffic, there are a number of ways you can do this for example:-