I’m creating a distributed application that’s going to have multiple API back end nodes and a couple of basic JS front end nodes that contact the API for the dynamic content to populate pages. The back end will handle all the functionality, including user management and other functions of the website, so I’m implementing JWT for logins and user access control. However, I don’t want users to be able to access the API on their own, which some could certainly figure out by the calls that are being made to the back end, grab their own JWT and automate some of the tasks that they are allowed to do. I’m not worried about permission scopes for the users, I have that locked down very well, I’d just like only my front end to manage user<->API communication.
Can this be done with some sort of static API key that I can pass encrypted while the user is using the front end? If so, what is the risk associated with that key getting out? Obviously it would be well protected on the front end nodes, but I can’t just assume it could never be compromised. Conceptually I envision some sort of client certificates issued to each front end node, to be used as a secondary authentication factor, but whether that’s over-complicating it or not, I’m not sure. Any suggestions are greatly appreciated.