Hey everyone!
I just finished building my first REST API and deployed it to Heroku. I wanted to monetize it through RapidAPI (even though I’ll probably make nothing lol).
The RapidAPI testing works perfectly and requires their API key for requests. But here’s my problem - when I test my Heroku URL directly in a browser or Postman, it works without any API key restrictions.
I noticed that RapidAPI makes requests to their own endpoint, not directly to my Heroku URL. How can I configure my Heroku deployment so it only accepts requests coming from RapidAPI?
I know the chances of someone randomly finding my Heroku URL are slim, but I want to be safe about it.
Any suggestions would be helpful!
Here’s another approach - use authentication middleware with environment variables. Store a verification token in your Heroku config vars and have RapidAPI include it in request headers when proxying to your endpoint. Your app checks for this token before processing requests. No token or wrong token? Return 401 unauthorized. This gives you full control without relying on IP addresses that can change. I’ve used this setup for several APIs and it works great. Easy to implement and you can rotate the token anytime for extra security.
I’ve had good luck with IP whitelisting through middleware. RapidAPI gives you their server IP addresses - just whitelist those in your app. Set up a middleware function that checks incoming request IPs against RapidAPI’s known IPs and returns a 403 for everything else. You can also validate request headers since RapidAPI adds specific headers to their proxied requests. Another trick is creating your own secret key for both Heroku environment variables and RapidAPI’s custom headers. Your API validates the secret before granting access. I use both methods together - works great for blocking unauthorized access even if someone finds your Heroku URL.
check for rapidapi’s headers - that’s the easiest fix i’ve found. they always send x-rapidapi-host and x-rapidapi-key, so just validate those exist before processing requests. direct hits to your heroku url won’t have them, so you can throw an error. way simpler than messing with ip whitelisting.