Javascript – How to hide a REST API Url from the end user


Is it possible to hide my REST URL that I using via AJAX to populate page data? I don't want others taking and consuming from my REST API, but need to use it to display content in my site.

How do I hide my REST API URLs from the end user?

Best Solution

It's not possible to hide the URL From the end user in JavaScript. They can simply open up the Network panel in Chrome, or just turn on Fiddler to see it.

In your particular case, the only real way you can hide the URL from the user is to proxy the REST call to your API from your server-side code.

If you must use JavaScript, you can always create and use APIKeys and simply monitor their usage and terminate API Keys that are taking up too much bandwidth; but again -- this isn't going to stop someone from being able to use your API, it'll just let you know when you receive an unexpected amount of traffic from unexpected places.

You could take it further by cycling API keys every day, so if someone wants to use your API; they have to change their code every day -- but again, this won't stop someone, just slow them down.

The only fullproof way is the way I mentioned in my first paragraph -- but that can't be done from client-side JavaScript alone.

Update in the age of Single Page Applications

What I wrote holds true, even for Single Page Applications (SPA); though you can hide the URL in the address bar by having different routing for your client-side application than your server-rendered pages.

The user can still inspect the traffic in their browser's console to check where the requests are going (there's no getting around that), but you can at least display different paths in the address bar.