I am developing an API that will be used by users of my customers. Here is what the flow will look like:
- User of my cloud based service creates an API key. - User embeds the API key into their own custom applications. - User deploys the application to their own end users. - The application talks to our API. I am looking for advice on how to secure this API. I see a few issues: - API key has to be embedded into the users application and is therefore vulnerable to being stolen and abused. - Once an API key is compromised, it can easily be disabled, but how will my users update their applications to use a new API key short of having to rebuild the application and redeploy. Does anyone have any ideas on how to design this? -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.