How to protect a private REST API in an AJAX app

Question

I know that there are many similar questions posted, but none of them refers to an HTML/javascript app where the user can access the code.

I have a private REST API written in nodejs. It is private because its only purpose is to server my HTML5 clients apps (Chrome app and Adobe Air app). So an API key is not a good solution since any user can see the javascript code.

I want to avoid bots creating accounts on my server and consuming my resources.

Is there any way to acomplish this?

Answer 1

An API key is a decent solution especially if you require constraints on the API key's request origin; consider that you should only accept an API key if the originating web request comes from an authorized source, such as your private domain. If a web request comes from an unauthorized domain, you could simply deny processing the request.

You can improve the security of this mechanism by utilizing a specialized encoding scheme, such as a hash-based message authentication code (HMAC). The following resource explains this mechanism clearly:

http://cloud.dzone.com/news/using-api-keys-effectively