Do you want to use it on a public page or a page that is behind a login? If it is public you could model google's pattern which is have a public key associated with a domain. So only requests from a certain domain that send a specific key are allowed access. If it's behind a login on a password protected page then you could allow access only for that person's data that is logged in.
You can check https://blogs.msdn.microsoft.com/martinkearn/2015/03/25/securing-and-securely-calling-web-api-and-authorize/. i haven't used it with nopCommerce, but it worked well for a custom API.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
