I'm developing both the server api and client-side app. I'm struggling with the client-side, as to whether to code it up as an app placed on their server or embedded with iframe and hosted on ours. I need your insights.
Here are our constraints:
Paid subscription based app. We want to authorize each request made to the server to ensure it's coming from a paid customer's site. Currently, we designed the API to accept HMAC Auth in the header and then compared it and the referrer host to what's in our db.
The API is RESTful. We do not want cookies or sessions.
Authorization is only for the client hosted site (our paid customers) and not their audience.
Resources sent back (if request is validated) will then be embedded into our customers' HTML pages.
We want to minimize the amount of code sitting on our customers' servers.
We're open to SSL/HTTPS and Oauth, if needed.
Given the above parameters, how would you go about the client-side portion? My first thoughts are to develop server code for generating the HMAC (sits on our customer's server) and then embed pass it to our iframe embedded on their page.
Thank you for your time and insights