If Mercedes API server allows restricting from which IP they accept API calls, just configure it and restrict only to your server's IP (as Google do)
Use your server as a middleware/dispatcher. Your web app will call your server and only your server will call the Mercedes's API. This is not the best solution because you're putting another entity in the middle.
I agree with what Emanuele said, the best way is to write your own server which proxies the request to mercedes. Also as an additional remark:
You won't be able to call this API from your SAPUI5 app anyway since the same-origin-policy of your browser will prevent this request (I assume you won't host the app on mercedes-benz.com).
It would be different if Mercedes would release a js client, which is distributed from this domain. In those cases, you won't likely have an API key, but only an app id.
Thanks! , but now i'm confused 😕 i thought that i just need to built my https request as the documentation said and see how to process the response in case that it's successful be cause it's a free api just to see images of a car with an id_car now i do not know if it's possible use this api with fiori (sapui5) 😞 and don't know how to built this request with ajax ?
Destination (please look at the documentation on the SCP site) are just "secure channel" that you create to external resources and can be used and seen inside UI5 apps deployed on SCP.
you're right: MitM attackers wouldn't be able to see the API Key then, but everyone who uses the web app will see it. If he wants to keep this information hidden, this wouldn't be the way to go.
Yeah, The API code should not be stored or called from the webapp, better to do this on the server side via a proxie of some sort. In the Cloud platform create destinations or API Management.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.