https://stackoverflow.com/questions/16909601
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianYou're question is a little vague, but I'll do my best to give you a hand.
If I were in this situation I would utilize api (public) and secret (private) keys for each client, with a signature. Each request would have to include the public key (either as a field, or header, or however you like) in order to identify the client, and a signature header, as well as a signature generated from a (this may be a little off, its been a while since I did this) HMAC string based on the base64 encoding of the sent information and the specific client's secret key. Because only your service and the client should have this key, you will be able to verify if the signature does not match the client.
Including a way for the client to reset the secret key in the event that it is compromised is also a good idea.
At this point you've identified and verified the client, so you can simply record the request in whatever kind of db you're using. If you want to verify that the client is allowed to make that request you will have to build some kind of permission system (perhaps db tables consisting of what each client is allowed to access, or which clients are allowed to access each resource), as well as a check to ensure that the client hasn't gone over whatever rate-limit you've set.
If this isn't quite what you were asking I apologize, and if you have any further questions feel free to ask.
