Hi,

We have a couple of APIs that contain public data. These APIs are using oauth2 client credentials to secure them. The main benefit behind using oauth2 is to limit any potential abuse of the data and make sure that people are not scraping this public data. We have a couple of developers that want to write single page apps / javascript apps and call these public APIs.

I'm really struggling figuring out a way to keep the APIs secure. I know that with javascript somebody could just view the source code and get any credentials that are in it. A few thoughts that came through my mind are:

* Have a server side page that makes the api calls on behalf of the javascript app and just returns html data. The developers are hoping to not have to put much load in their servers. That's why they were looking at a server side page that would make the API calls. The server side page could still be abused in the sense that somebody could just hammer that page to scrape data.

* Restricting the api calls based on IP addresses. This could prevent too many calls or a spike in the number of calls from the same IP address.

* Letting the javascript code use an access token that has a very short expiration date. This would help, but somebody could easily just refresh the javascript app to get a new access token.

Are there some security mechanisms that I'm not considering? The data is public so using 3-legged oauth doesn't apply.