Is there a secure way to ensure a data in an API endpoint of mine came from an Instagram endpoint?

Question

Is there a way through encryption/keys/jwt or anything else to ensure that the data being sent through a POST request is only data coming from another request I made on the client to a 3rd party endpoint like Instagram?

I haven't been able to think up a secure solution to this. I've tried thinking about solutions where I sign some data, but unless the data comes from and originates from the server, I don't think there is a way to make that work.

Answer 1

Is there a way to ensure that data coming into my POST request came from the Instagram endpoint and wasn't something the user concocted?

No. Your thinking is exactly right on this - because what you're looking for in terms of security isn't available on the original endpoint (Instagram's API), anything you think of can be subverted by the client, which isn't under your control.

Answer 2

You're using an undocumented API and sometimes get unexpected answers. Basically, that's what you have to expect :-) No amount of fiddling and trying to hide your usage of this API will give you safety. Instagram might remove it altogether, rename it, require some credentials to give access, etc.

The simple advice: Don't depend on undocumented and unguaranteed APIs. If your application cannot work without this, you have an unsustainable business model. If you really need it, ask Instagram about APIs they provide and try to get a good enough deal. They're not in the business of providing services for free.

Answer 3

Facebook provides a stable API with the security features you are requesting, as well as guidelines about how to keep from being blocked. If what you are trying to do doesn't fall within those guidelines, they have every right to take any measures to lock you out. Trying to circumvent those measures is a risky way to build a business.