How to protect a private REST API in an AJAX app

Question

I know that there are many similar questions posted, but none of them refers to an HTML/javascript app where the user can access the code.

I have a private REST API

Answer 1

An API key is a decent solution especially if you require constraints on the API key's request origin; consider that you should only accept an API key if the originating web request comes from an authorized source, such as your private domain. If a web request comes from an unauthorized domain, you could simply deny processing the request.

You can improve the security of this mechanism by utilizing a specialized encoding scheme, such as a hash-based message authentication code (HMAC). The following resource explains this mechanism clearly:

http://cloud.dzone.com/news/using-api-keys-effectively