I'm currently working on an API that is going to be used in an app and a website. For some actions, you have to be logged in and for others not. Users are also split up into different account types like e.g. users and support. For the API I've used the slim framework.
So my approach is the following:
- The API key with its type is stored in the database and its bond to an account
- I assign group permissions to each command, which restricts e.g. not logged in users
The following is an example of a request:
In this example, not logged in users and normal users are restricted, but support users not. As this is already working, I have to ask myself if this is even secure, because someone could e.g. spoof the support users' API key and disguises himself as support staff. How can I secure my API, or is there another way to do it?