One-time secured API requests

Nowadays, the HTTP APIs act as gateways for petabytes of data and some chunk of it might actually require enhanced access rules. For example, you could create a link that allows the user to download the file only once, and within such link you would find a token.
I was in a need of creating such solution for my open source project Warden – a specialized, one-time link that can be used fetch the configuration object from the API.
It turned out to be fairly straightforward to implement the most basic version of such behavior.


Before I put there any code, let me warn you, that for the sake of simplicity there will be no specialized design patterns involved (like repositories, command handlers etc.) and all of the stuff will be held in memory (static List). Additionally, the whole example will be built on top of the latest version of the ASP.NET MVC. Being aware of such a sacrifice, let’s start with some actual coding:

This is quite a sophisticated entity called Item which we would like to fetch via our API controller:

And the “business logic”:

As you can see it’s as simple as possible – I’m not even using interfaces or DTOs not to mention the IoC containers. Alright then, let’s try to secure our API:

So, what’s going on here? At first, we create an enum for the resource types. There’s just Item and you could use something totally different here like a string based on class type name or some more fancy stuff, but that’s not the point of this article. Then, we define the SecuredRequest which takes the resource type and id as parameters and creates a secured token. In case you were wondering what the heck are ReplaceableCharacters – it’s just a set of characters that I’d rather exclude from the token used within a link in order not to mess with HTTP parser. Now we’re ready for the almost final step:

This guy above will be responsible for creating and validating access tokens for the particular resources. In order to make this sample testable, let’s add a simple endpoint for generating the tokens:

And finally, we can secure the access to the items, so that the controller would look like this:

And that’s all – try to run the application now and access the item without token or with the invalid one. Create a new token, fetch the item and try to fetch in one more time – voilĂ , you have just limited your requests to be one-time only. You can download the sample application by clicking here.

Before I finish this post, here are these possible extensions and things to consider:

  • Move the implementation to specialized attributes or so.
  • Store more data like headers (e.g. User-Agent), IP address etc.
  • Allow only authenticated users to access the resource.
  • Include dates to limit the usage of the token within the given period.
  • Restrict the access via IP address or other techniques.

5 Comments One-time secured API requests

  1. Pingback: One-time secured API requests - How to Code .NET

  2. casharpbeginner

    What if someone would like to regenerate the token for specific item? You create new SecuredRequest just by adding a new one to the collection, so can happen that you will have 2 SecureRequests for Item 1 in collection, but while consuming you find them by FirstOrDefault so it will be always comparing to the first SecuredRequest ever created == it won’t work in this scenario. Maybe that was the point no to let people to regenerate the link for a single Item so maybe it would be good not to allow creating multiple SecureRequests for Item 1 in the collection?

  3. Pingback: Dew Drop - September 6, 2016 (#2322) - Morning Dew

Leave A Comment

Your email address will not be published. Required fields are marked *