Public API with authorization token -- is it possible to protect the demo token?

As Steffen has said you cannot protect the token from users.

I'd just like to add a suggestion for a more general scenario of having a "demo" Api. It sounds like your API doesn't have any stored data and just does calculations on input so this may not be a concern for you, but rather than having the demo token point to your real api, you could point it to a demo / sandbox version with meaningful, but not real data that could:

  1. only have the demo token in it - no other users
  2. be reset automatically on a daily basis
  3. have a small amount of data in it rather than your full set (if you have data)
  4. potentially not return valid results for all calculations as a way of requiring people get a real account from you rather than just using the demo token

This would feel safer to me as your live system would never be touched by anybody with the demo token, and in scenarios where you may have functionality you are selling etc, it allows developers to integrate and confirm they have integrated correctly, but doesn't give away the full set of functionality/data to the demo token.


It is not possible to protect the token because as you noticed yourself the user can simply look what kind of request was sent. Since the demo site is under your control you can though change the demo token whenever you want. As long as you only accept valid tokens and you change the token often enough you will limit misuse of the token. And since the page including the token was generated by the server you could also generate a token specific for the users source IP address and maybe a cookie which would further limit any misuse of the token.