Access to restricted REST APIs with token

Do you have a user base on your website? Or is it available to all unauthenticated users? If you do have a user base, then you can restrict access to them, but again, anyone can get access to the request from the browser’s dev tools and see the response in curl or Postman.

I thought the original problem was this - to keep the auth key secret which has been solved by Functions, the API key is safely hidden.

Yes, but if anyone can access to this api, it is irrelevant if the auth key is visible. In addition, the auth key is still visible:

That’s why I asked, do you have a user base for your website where you’re authenticating people? Because if not, and if you’d done this without Netlify Functions, anyone could have checked the dev tools and got the URL you’re trying to make a request to along with the access token in this case. With Netlify Functions, at least the access token is hidden, only the response is visible.

Just like this:

Even if you had not used Netlify Functions, browsers will still show the network request and thus, what you are after won’t be possible without any user authentication. This is true for any system, not just Netlify. It’s not possible to secure unauthenticated API calls.

Here’s the way I was talking about:

It’s the most secure way that I know of because, it deletes the temporary user and thus, even if someone tries to use the same request that the browser made, it would not work again.

You can hide it by returning your own message by JSON.stringify('there was an error') instead of the JSON.stringify(error)`.