We have a mobile game. It makes REST services calls to our custom APIs. Currently we require the username and password of the logged in user with each request.
We want to prevent any other clients (web, mobile, etc) from accessing these apis. We know we could setup our own secret key and pass it along with each request and have the server validate it, but a hacker can and has easily decompiled the code to find out what the secret key is, so any tokens/keys we put in the client code can easily be detected and re-used from fake clients.
So my question is, is JWT designed to be used to prevent unauthorized clients from accessing our REST API?
If so could someone please direct me to an article where I can read more about how to set this up?
I’m not aware of any solution to this problem, and not for lack of looking. I believe the most you can do is to try to obfuscate your code in ways to make it difficult to reverse-engineer. Bear in mind that a hacker can always run your app in an emulator, so if its a simple matter of sending a private key, no amount of obfuscation will keep them from seeing the key that is sent. Hence, you at minimum would need to do some sort of cyrptographic challenge-reposonse, so that wire sniffing doesn’t reveal reusable information. Even so, you’ll still be vulnerable to a sufficiently motivated attacker.