How do you prevent hackers from taking a "publicly used API key" and using it in their own script?
At first, for MVP, I want to basically allow API requests to only come from my domains, or from a server-side script I control.
For the server-side script, I can simply use a "secret API token" sent in the Authorization Bearer he… Continue reading How do you prevent hackers from taking a "publicly used API key" and using it in their own script?