How to protect your api?

For example, there is an external api that saves the data. First, the authorization of the client on login+pass, then the client works with him by sending the token received. How to protect this api from an attacker? He did not interfere deobfuscate a few I've found, to copy the login and pass, and work with it from your server. How to avoid this? Binding on IP + domain? They also are easy to replace.
July 2nd 19 at 18:18
2 answers
July 2nd 19 at 18:20
Check reverse DNS entry for the host (the server with the domain name in the client role) in the authorization process: that a request came from one of the expected servers.
If this "API" is the schema: server1 <=> client <=> server2, then - nothing.
July 2nd 19 at 18:22
Actually, you described a standard authorization mechanism, but:
copy the login and pass

Where it will take them, if they are only customers? Or is he among the customers will be? Then first stop calling him a hacker, because it's not the fact that he is spamming, etc., second, while there is no evil and there is no problem - get more relevant aspects, thirdly if you don't mind spending the time - that can complicate the process of authorisation to use HTTPS with HSTS, better yet, your Protocol, if the client in the browser the WebSocket or the Flash, and if not in the browser then does a TCP+SSL or UDP this will increase the required qualifications "intruders" and will reduce their population, but I still will crack if need be, even on a pure IPv4 do, and for "the malefactor" you I have it apart get! :)

Find more questions by tags PHP