How to protect web API request call from third-party tools such as Postman?

Question

I am facing an issue regarding the calling of a web API in an MVC 5 Application.

I want to protect my web API from being called through tools (e.g. Postman, REST client and so on). When I am logged into my apps with my login and password and I copied all request headers from browsers and pass the copied headers and API URLs in the Postman and submitted. After submit, it is getting a valid response.

How to protect against this? I want to call it from my apps only, not other tools like Postman.

Answer 1

You can look into either:

• adding an API key as part of authentication, which your apps (clients) will store on their side and send with each request (of course, anyone having an API key can also do this);
• if your apps are web-related clients you can ramp this up by only allowing requests sent from a list of trusted domains