I understand that we can restrict an API call using IP address and Domain name in the load balancer, but I wanted to know the possibility of restricting an API call using an Application like, let's say the end-user is triggering an API request using the JAVA SDK package so by analyzing the load balancer logs, we know that the API request is from a JAVA application so I wanted to restrict the API request based on the applications used? Is it possible?

Also, it would be helpful if you could share an example with your solution. Thanks for the help in advance.

NOTE: I had configured a container with a load balancer for a static external IP so I'm referring to the API calls made from the Client to my server or load balancer.

CodePudding user response：

No, this is completely impossible. The part where you go 'I can analyse the load balance logs to see that it is a java SDK impl doing it' is based on some information that the client sends to you - probably a User-Agent: header. This can be faked, trivially.

If you e.g. give JavaSDK requests more restrictions than, say, Chrome (the browser), then the users of your API writing in java will just sent chrome's User-Agent to you.

API restrictions are based on things that you can't fake, such as access keys. You can't make access keys that certain apps can't use - all programs are turing complete, which means they can all do what all the others can do.

Your only recourse is legal: As part of handing out an API key, the recipient signs a contract. You can stipulate in the contract that, say, you must not lie with your User-Agent.

However, whether such a contract is enforcable is dubious in the first place. "Catching" someone misusing the API (sending a user agent from a less restricted app) is difficult, and it is rather unlikely that you can stick a heavy punishment on 'getting caught' as a deterrence and make that legally stick.

In other words, effectively the answer is: Nope, you can't do that.