If you are distributing products embedded with API keys and can set up custom User-Agent (e.g. an Electron app, iOS or Android app), then we would recommend adding the known User-Agent to your allowlist. When a User-Agent is added to the allowlist, any API requests originated from other platforms will be rejected.
User-Agent allowlist utilizes partial string matching. If a string that is allowed to list exists in the request's full User-Agent, it is registered as a match.
Example:
Allowlist entry:com.example.dapp
Request:
curl -X POST \
https://api.trongrid.io/wallet/createtransaction \
-H 'User-Agent: com.example.dapp/v1.2.7 (Linux; Android 8.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36' \
-H 'Content-Type: application/json' \
-H 'TRON-PRO-API-KEY: 25f66928-0b70-48cd-9ac6-da6f8247c663' \
-d '{
"to_address": "41e9d79cc47518930bc322d9bf7cddd260a0260a8d",
"owner_address": "41D1E7A6BC354106CB410E65FF8B181C600FF14292",
"amount": 1000
}'
Result: Request is allowed while all other user-agent requests are rejected.