We’ve developed an API which allows users to search and upload Images.
Any application that wants to query it uses an API key which allows it to perform different actions according to its permissions.
Recently we started to expose some of the API’s abilities in public websites.
For example, see the PicScout Search Tool on www.picscout.com(and press the “Launch Tool” button).
Here’s the issue: Exposing the key to unknown users can make us vulnerable to spam and abuse.
In order to overcome this problem we decided to use Google reCaptcha.
Using this tool means that only real people can pass through the system, as opposed to malicious bots.
Reaching this solution included client and server side adaptations. On the client side, we added support to the reCaptcha widget
. This widget is shown to the users before their first action in the site and afterwards only if their token has expired. On the server side, we added a second layer of authentication. This authentication is enforced only on API keys that are public, meaning those used on public sites. When making a request, the users must send an API key as well as a token supplied to them by Google reCaptcha
. The server verifies this token combined with some
secret agreed between the server and Google. If this information is successfully verified
, the resource is returned to the user. Otherwise, the request fails.
That’s about it on how we use reCAPTCHA at PicScout