I made own app via Laravel/Vue. It uses REST Api. My user after register has to enter own website address. Then he receives API Key and tracking code to paste on own site.
That tracking code sends Http Post request to my site in a certain situation. Simple Javascript. With that request he sends that API Key as one of params.
Server compares API Key with referer. If API Key is correct with key's owner website, api script works. If not it responses Forbidden.
Sad thing is that. I can get API Key from user's site(RMB -> Show source). Then I can run f.e. Postman, set token, other params, fake Origin and Referer and it will work!
How can I protect my REST Api from fake calls? I would like to not use server-side.
If it's inevitable I would also like to know why almost always people use two keys(key and secret)?
Also would I be forced to write server-side script for few backend languages or it won't be problematic to run that one php script on RoR or Python server?(kind of stupid question but really important for me)?