I have a website where I have a sports API available, every user has a limited number of requests and so when they make a request to the site, my node/express backend checks for an api_key to authenticate the request.
I've recently listed the API on rapidAPI, and when a user makes a request from rapidAPI, they're supposed to use their rapidAPI api key that is given to them by rapidAPI. I know that rapidAPI will check if the api_key is valid before sending the request to my API, but how do I know whether or not to check for the api_key when people are making requests from my website URL.
I would expect the express function to do something like this...
router.get('/v1/:sport/odds', async (req, res) => {
// if the request came from rapidAPI and has been authenticated by rapidAPI, continue...
// if the request didn't come from rapidAPI, check for an api_key in req.query and then continue if api_key is valid
})
You can do this in two ways:
Approach 1: Provide personal auth
For the first method you will need to go to
Now you can choose the authorization method that you have implemented for your API to let the user use it when they call the API.
Approach 2: Secret Headers
As for the second approach you can add a secret header from the same place for the API to call whenever someone use it from Rapid, the secret header will do the authorization that you need and you can know if the request came from Rapid or normal users.
For this you can create a superuser for RapidAPI at your backend to handle it's responses.
For further reading from the docs you can use this link: https://docs.rapidapi.com/docs/configuring-api-authentication