My service allow any HTML documents to be converted to PDF using a POST request. It is mostly used on the backend of my client’s server and thus, the API key used for the communication is kept private.
Now, I’m thinking of a way to let my client’s visitors be able to call my service on behalf of my client API key, without exposing this secure API Key.
My main issue here is security. If my client add an XHR POST requests that contains the API key, someone can take that API key and use it for their own purpose and abusing my client’s account.
I could filter by domain, but this is easily spoofed so it’s not possible.
I was wondering if there was a way to call a private service and be identified without risking its identity to be stolen, from the client ('s client) side?