I am developing a service with an associated REST API for customers (companies which have their own websites) to use. In other words, one of my customers would typically make the REST call directly from their website (i.e. the request would originate from one of their customer’s browsers).
I can of course provide an access token to give my customer access, but by definition it will have to be published publicly on their site, which means that anyone would have access to it.
The situation seems analogous to the use of Google Maps API keys, for example. Unless I’m mistaken, if I embed a map on my page, my API key needs to be public. As far as I know, the only protections against other people using my key are that I can restrict requests (with Google) to certain domains.
Is this the only thing I can do to restrict access to my customers? Is it possible for a non-customer to spoof their referring domain? If so, do people do this to use other Google API keys?