How to secure a local API when using javascript

I am looking for the best way to secure my applications login api from third parties attempting to hijack it. I am using Apigility, ZF2, Jquery.

I have a game server (Server G) and a cloud server (Server C).

While Server C – holds usernames and passwords, users sign up and login via server G.

Both server C and G have their own API’s using ApiGility.

When a user logs into server G, the jquery app calls its own API which in turn uses Oauth2 to contact server C to verify the entered credentials. This way, every game in my network has a single Bearer token connection to my cloud and each game handles its own connections to its clients (mobile / browser / desktop etc.). Keeps things clean.

While server G to C is secure, how do I secure the javascript call to its own API ?

enter image description here

The javascript exposes the local apps api call which essentially means anyone can grab the url and play with it 🙂

 var url ='' + email + '/' + password;

            type:  'GET',
            async: true,
            url:   url,
            dataType: "json",

                success: function(responseObject){
                    if (responseObject.status)
                        //Do stuff    

                    } else {

                        //Do other stuff


I have been thinking of using an implicit grant, however, I am not sure how this would work with my own api?

What would the standard solution be?

Source: jquery

1 Comment

  1. Digin Dominic

    You should never send the password and email in the url like that.

    I wonder what documentation from Apigility you used to setup this authentication.

    You should send the username and password in a POST request and use a properly setup https connection. The data sent will be encrypted with a certificate and like this you prevent that the data can be read when intercepted.

    Read more on how to use OAuth in Apigility here especially at:

    Public Clients

    The example shows:

    POST /oauth HTTP/1.1
    Accept: application/json
    Content-Type: application/json

    "grant_type": "password",
    "username": "testuser",
    "password": "testpass",
    "client_id": "testclient2"


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.