Consider this: An attacker finds a way (and eventually he or she would) to walk through the entire API and find all the endpoints. Then move to craft a token and try to bypass authentication.
Or, would it be harder to first craft the authentication and then find the endpoints.
Which would, if successful, damage your product the most? Which would, if successful, be detected first?
I don't know anything about your product but those are, I believe, interesting questions to go through.
Independent consultant, developer, content creator, mentor with 10+ years experience in making things happen.
Check out my coding channel: https://www.youtube.com/@rytis-codes
I don't think API endpoints themselves are a huge secret. But if we require a valid token first, then it will be easy to see which user is trying to scan the API. Due to the nature of our business, the users are linked to real identities, so it would be easy to track which real person is doing the scanning (or who's account was compromised).
I think I kinda answered my own question here. Thank you for formulating the right questions for me to ask.
Consider this: An attacker finds a way (and eventually he or she would) to walk through the entire API and find all the endpoints. Then move to craft a token and try to bypass authentication.
Or, would it be harder to first craft the authentication and then find the endpoints.
Which would, if successful, damage your product the most? Which would, if successful, be detected first?
I don't know anything about your product but those are, I believe, interesting questions to go through.
I don't think API endpoints themselves are a huge secret. But if we require a valid token first, then it will be easy to see which user is trying to scan the API. Due to the nature of our business, the users are linked to real identities, so it would be easy to track which real person is doing the scanning (or who's account was compromised).
I think I kinda answered my own question here. Thank you for formulating the right questions for me to ask.
My pleasure! Keep it up!