You must send all API request in the POST Method and also check that all API Requested in the POST Method in server Side.
API must be hosted in Sub-Domain and should be an HTTPS.
The API Domain should not be crawl by Google or any other services.
In each Request, it must contain the Auth Key and Client Service in Header Request and valid in Server side.
Auth Key – Must be a just encrypt of you secret Word.
Client Service – It just a name where the API service is used. ( ex. Android frontend ).
If there is any value (POST method, Auth key, Client Service) is mismatch then you must redirect to error page Unauthorised with Status 401.
All Response from the server must be in JSON Format withHTTP Status Code .
Generating and Checking Tokens
You can generate a token after Login or Signup.
Generating Token
Token may be a random generate unique id or unique Key in the table(user id, Email id or Phone number), Mobile device id and must be encrypted with Expire Date Time.
The token must be stored in the Database with a separate table with Created Time and Record Status.
Checking Token
It’s simple first decrypt the token and separate the Expire date time.
If the Decrypted value is not a valid format then simply redirect to error page Unauthorised with Status 401
If Current Date time is greater than with Expire Date time means simply redirect to an error page.
Otherwise, you will check the token is present in table or not.
Refreshing Token
In Refresh Token Method that can extend the expire Date and Time and generate a new token.
This method requires the parameters are time to extends,
This method can be called in any methods when it is necessary.