If a person wants to use our API , he does the following:

  1. Receives a token
  2. With token accesses API

Naturally, the tokens will be unique.

Actually, the question is: How to protect this token? That it was available only for one person. That is, that it was impossible to take this token from another person and set yourself. What do you need to tie?

  1. IP is not suitable, as it can be dynamic.
  2. Referer - also not suitable, because you can replace

There should also be a "cross-platform" token, that is, to take it, and, for example, transfer it to an Android application and use the API

PS Need without user registration (!)

Any ideas?

    2 answers 2

    OpenID / OAuth ?

    Those. the idea is to identify the user through a third-party resource, for example social. network.

      Only the key generation on the client side comes to mind, only I don’t know what your task is and what you can demand from the client. Is it possible to require to get the key to run your script on your machine? If possible, there is already easier. Generate a couple of keys and that's it. How are banks doing.

      • "run your script on my machine?" - did not quite understand you. What will it give me? - cmd
      • Well type a couple of keys generate. Although of course, if the user himself is interested in the transfer of a token, he will also transmit his private key - zemlia-zemlia