javascript - Protecting my API -

i've created website based on api - frontend decoupled backend using simple rest api (frontend pure javascript/html).

i protect api usage else - calls can come website alone (or maybe allow other specific websites use it).

for now, if use curl able scrape api easily.

how can protect api assuming frontend js/html only, legitimate calls own pages work curl , such third parties not?

this question may not fit so, there can multiple equally-valid answers.

but 1 way use ssl, user authentication, , tokens. here's rundown:

1. use ssl pages use api.
2. when page freshly-requested site, return token allows user login , nothing else. token associated requesting ip address on server , can used requests ip address, , logging in.
3. when user logs in, give them new token that's associated user account , ip address. subsequent requests must made using token, , ip address.
4. limit api calls can made token that user account must able use. default deny, in other words.
5. time-out tokens (on server) after whatever interval of inactivity seems appropriate you.
6. rate-limit requests rate reasonable actual human being using application.
7. make extensive use of logs determine patterns of typical activity, can identify atypical activity , block it.
8. this may obvious, make sure tokens hard predict (not steadily-increasing number, instance) , hard spoof. although ip address/token link held server-side, still don't want make life easy potential hackers.

the user authentication part of important, because otherwise, while you'd pretty safe remote hacking (because of ssl), hacker uses browser go site he/she can token can use curl or similar his/her heart's content token. if mining site, @ least want have clue might (your user authentication) can them stop.