How to Protect Public APIs Without API Keys

6 Min Read | 12 Jun 2025

APIs are a core part of how modern web applications work. They enable smooth communication between frontend and backend systems, helping deliver seamless user experiences. Typically, APIs are secured with authentication mechanisms like API keys, OAuth tokens, or JWTs. However, there are valid cases where exposing an unauthenticated public API is both necessary and beneficial. For example, a news website might share trending articles via an open endpoint, or a weather app might display public forecasts.

These public APIs often do not handle sensitive user-specific information, but they are still vulnerable to abuse. Attackers may scrape content, flood endpoints with automated traffic, or misuse publicly available data. Developers can reduce this risk by implementing multiple layers of protection that do not rely on authentication.

This blog covers practical and effective strategies to secure public API security without API keys, while keeping performance and usability intact.

Why Use Public APIs Without Authentication?

Some APIs are designed to be open and quickly accessible. Requiring authentication in these scenarios may introduce unnecessary friction.

Common examples include:

  • Weather widgets and public dashboards
  • Maps or location data
  • Product listings or content feeds
  • Static assets in single-page applications

For these use cases, the goal is not to restrict access entirely, but to prevent abuse. The right defensive measures can help limit automated misuse without degrading the user experience.

1. Enforce CORS (Cross-Origin Resource Sharing)

How DNS Resolution Works:

CORS is a browser-based security mechanism that restricts which domains can send requests to your API using JavaScript. Configure the Access-Control-Allow-Origin header to allow only trusted domains.

Example: 

Access-Control-Allow-Origin: https://trusted-domain.com

Note: This is enforced by browsers only. CORS does not stop server-side requests made using tools like curl or Postman.

2. Apply Rate Limiting

Rate limiting controls how many requests a client can make within a specific timeframe. This helps prevent scraping and denial-of-service attacks, making it an important part of public API security.

Implementation options:
  • Web server configuration (e.g., NGINX)
  • Middleware like express-rate-limit for Node.js
  • Managed API services such as Cloudflare or AWS API Gateway
Example (NGINX): 

limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;
limit_req zone=mylimit burst=20;

3. Integrate CAPTCHA for Sensitive Actions

CAPTCHAs help distinguish real users from bots. For endpoints that process forms or perform resource-intensive actions, add CAPTCHA validation before accepting the request.

Common providers:
  • Google reCAPTCHA
  • hCaptcha

Generate a CAPTCHA token on the frontend, then verify it server-side before proceeding.

4. Implement Client Fingerprinting

Browser fingerprinting collects device and environment attributes to generate a unique identifier. This makes it possible to track clients even when their IP addresses change, contributing to stronger public API security.

  • FingerprintJS

Fingerprint data can be used to:

  • Detect repeated access from the same client
  • Flag or throttle suspicious activity

5. Use Short-Lived Signed Tokens

Instead of using static API keys, generate short-lived tokens when a page loads. These tokens should be signed (using JWT or HMAC) and include an expiration time.

Example JWT payload: 

{
  "iat": 1715400000,
  "exp": 1715400300,
  "origin": "yourdomain.com"
}

Tokens help limit the duration of access and tie requests to legitimate sessions, improving public API security.

6. Use Honeypots to Detect Bots

Honeypots are invisible form fields that normal users do not interact with. Bots that fill in every field are likely to trigger honeypots.

Use server-side logic to detect honeypot interaction and block or rate-limit offending clients.

7. Validate HTTP Headers

Analyze headers such as Referer, Origin, and **User-Agent **to confirm the legitimacy of API requests.

You type example.com in your browser.

  • Origin should match your domain
  • User-Agent should not be blank or suspicious
  • Referer should align with expected navigation paths

While headers can be spoofed, validation adds friction for basic automation scripts.

8. Deploy a Web Application Firewall (WAF)

A WAF inspects incoming traffic and blocks known malicious patterns. It can stop suspicious requests before they reach your API, adding another layer of public API security.

Trusted WAF providers:
  • Cloudflare WAF
  • AWS WAF
  • Akamai Bot Manager

WAFs often include bot detection, rule-based filtering, rate limits, and optional CAPTCHA enforcement for high-risk users.

9. Delay and Obfuscate API Calls

To increase difficulty for bots, delay API requests until after user interaction or page load. Avoid exposing API URLs directly in HTML.

Suggestions:
  • Store endpoint URLs in JavaScript variables
  • Trigger calls after scroll, click, or timer events

This approach is not sufficient alone but makes automation harder.

10. Watermark API Responses

Embed invisible identifiers in responses to trace misuse. Options include:

  • Hashed IP addresses
  • Request timestamps
  • Session or fingerprint IDs

This technique allows you to track where your data appears if it is scraped and republished, helping to maintain public API security.

11. Use Server-Side Rendering or Static Generation

Move rendering logic to the backend to limit API exposure. Frameworks like Next.js support:

  • Static Site Generation (SSG)
  • Server-Side Rendering (SSR)
Benefits:
  • Reduced frontend API visibility
  • Faster load times
  • Improved search engine optimization

12. Monitor API Usage and Behavior

Comprehensive monitoring helps detect misuse early. Log and analyze:

  • IP addresses
  • Request timestamps and frequency
  • User agents
  • Fingerprint IDs
  • Status codes

Use observability tools such as:

  • ELK Stack (Elasticsearch, Logstash, Kibana)
  • Grafana + Prometheus
  • Datadog or other commercial solutions

When Authentication Is Necessary

The techniques outlined above work well for APIs that serve non-sensitive, public data. However, authentication is mandatory for APIs that:

  • Handle user accounts or personal information
  • Process payments or financial data
  • Perform write or administrative operations

For these cases, use OAuth2, API keys, or secure session-based authentication.

Public API Protection Checklist

  • CORS configured to allow only trusted domains
  • Rate limiting implemented by IP address
  • CAPTCHA integrated on sensitive endpoints
  • Client fingerprinting used to track behavior
  • Short-lived signed tokens used instead of static keys
  • Honeypots deployed in interactive forms
  • HTTP headers validated for each request
  • WAF active with bot detection and filtering
  • API calls delayed or triggered after user events
  • Invisible watermarks embedded in responses
  • Server-side rendering or static generation used where possible
  • API usage monitored and analyzed regularly

To Sum Up

Public APIs offer speed and convenience, especially for delivering non-sensitive data to end users. However, making them completely open exposes them to abuse. By applying a layered defense strategy using rate limiting, fingerprinting, CORS, short-lived tokens, and behavioral analysis, you can protect these APIs without burdening the user experience.

Security is an ongoing process. Regularly review usage patterns, monitor new threats, and update your defenses accordingly. With the right precautions, public API security can be both useful and secure.