My architecture consists of a front end server and a backend/API server. The API is accessible to the end user, however I want the front end server to be able to access certain routes of the API that aren't accessible to the end user (higher privilege).
This question has 2 parts:
(1) I need to use API keys for the end user. What's the best practice to do this?
(2) How does the front end play into the API Key system? The client will need to log into their account to access these elevated privileges available from the front end. (such as enabling webhooks)
My application is hosted on Google Cloud App Engine Standard env and I'm using node.js 10. It would be awesome if anyone had any suggestions relating to this architecture.
I know this question is somewhat general but I've spent a few hours looking around online and my question isn't so much how to use API keys, nor how to authenticate frontend, but rather: what is the best practice to do these two together?
Thanks, Nikita
JWT (https://jwt.io/introduction/) can help with this. You can include API key as well as JWT in the request header. Some services accept API key as a URL parameter but putting such sensitive data in header is a better approach.
JWT can be stored in the cookie when the user authenticates and can be transferred with the request to the server.
The server can use API key for authenticating and decode this JWT using the key available in the server environment for authorizing access as decoding this JWT can reveal the type of user and hence aid is figuring out what level of access is required.
A straight-forward approach used with multiple variations. You can start with the basic version and keep adding layers/features progressively.