App specific authentication

espptyltd

I wanted to understand if there are options in Xano to allow app specific authentication.

The goal is to ensure that the Xano api's of my application are only callable via the front-end application used by users to interact with my app.

Currently, when authentication is turned on for an endpoint, a bearer JWE auth token for this user is required for the Xano endpoint to begin any execution of the function stack.

Once the user has the authToken, they are able to use the front-end application to make calls to the Xano api's. These API calls are routed via my front-end application's servers, allowing certain payload components to be hidden from the end user.

What this also means is that if the user has the authToken, they can also make calls to the Xano function stack outside of my front-end application using something like postman.

I wanted to see if there was a way to prevent calls to the Xano API outside of my front-end application for users who have a valid authToken.

I know that I can build logic into the function stack to verify a payload header or parameter coming from the front-end application, which I could make private to the end user given that my front-end applications server is making the request to the Xano api, but I wanted to see if the community had a better way to manage this than my suggestion.

Thanks.

Ray Deck

Here are a few things you can do to move the needle:

1) Add a token in the header of the request, separate from the auth token, that reflects that this is from the correct application.

2) Use claims in the JWT to make sure it cannot be used for endpoints outside the bailiwick of the particular application for which it was issued.

3) use encryption/encoding within the app to further disguise the data going back and forth, which makes it more complicated for someone to spoof.

All that said, you can certainly make app-spoofing inconvenient, but the existence of tools like Phantombuster is a testament to the fact that its not impossible.

We discuss harder questions like this during our daily office hours on State Change Pro. Next one is tomorrow at 12p!