I need for my app to consume a rest api service and since I will call it from javascript/jquery i need to expose it to the end user.
In this case I would also need to expose credentials to the end user, which is something I would like to avoid. As an alternative I am thinking of using a token that would replace sensitive credentials, but what concerns me is how to prevent an end user to reuse or recall rest api service misuse that same token with different params?
Bottom line, how to successfully protect application so only application can consume rest api and not the end user himself?
EDIT
This question raised a couple of doubts so I would like to make myself clear.
For example:
Javascript from my app contains an ajax call that calls a third party api. For example http://domain.com/api/insert-item?user=username&password=password&userid=1000&itemid=55555&itemvalue=10
What stops any user to change query string to userid=2000&itemid=55555&itemvalue=100
What stops any user to get our credentials for third party api and consumes it without permission?
Best Answer
You can't.
Let me rephrase: Impossible
You could/should make it harder to use a token. Implementing a max-usage per token, a max life-time, ... It is however impossible to know if it is the scriptkiddie or your 'application' contacting your api.
A lot of people tend to forget that it is never the aplpication calling the api, it's the application, telling the client what api to call. Everything else is based on trust. And on the internet, trust is deprecated