herokurapidapi

How to make REST API deployed to heroku accessible only through rapidAPI


Salutations!

I have just completed my first REST API, deployed on heroku, and I decided it would be cool to make $0 a month through rapidAPI.

The rapidAPI testing dashboard passes the tests successfully - with one of their keys being a requirement for an API call.

However when I access the site on a browser or on Postman, there is no need for an API key and therefore no restrictions in get requests.

I have noticed that the test code makes a fetch request to the rapidAPI url for the project but how can I make the heroku url accessible only from rapidAPI?

I know it's extremely unlikely someone will find my heroku app url but it is technically possible.

I appreciate your time and insights.


Solution

  • RapidAPI provides 2 security features to support this:

    There might be Heroku Addon to help with the IP filtering, but those are typically enterprise-plugin (with associated cost).