I'm developing a site with react and nextjs. So in the API folder, I write some API endpoints. Now I don't know how can I protect them from clients? I want to use these APIs directly from the site. and I won't the user be able to access API from his browser. With jwt can I solve this problem? Or right solution is something else?

CodePudding user response：

If it's your own API endpoints, it should be running on its own server, e.g. Express.js.

If it's a 3rd-party API, you could add private information like password, API keys, etc, onto a .env file. You don't need to hide the API endpoints themselves in this case as they will be visible to the client anyway.

CodePudding user response：

if your client never triggers a request to your server then your API should not be visible, but also you can add some pretty basic validation in the case that someone reaches your API, like read a specific token in your API that only your server knows or something like that.