I have two Web Apps written in .netcore,
App 1 served the html content and
To prevent the API from being accessed by any other website I enabled the
CORS and added the domain of
App 1 as the only domain allowed to access the API of
App 2 and it worked great but any desktop can mimick this same request headers and access the API and I tested with postman and the API was accessed.
So I added Authorization header so that all the API functions are required to authorize the
JWT bearer token to be accessed.
The problem is how to prevent desktop apps or other non-browser apps in general from accessing it.because of the following:
1- if I put the access token in the response from
App 2 , any other app can get it easily and copy paste it to their app and API will be accessed.
2- If I don’t hardcode the token in the response of
so what should I do ?