I have a game that has many webservices.
I can protect my webservices with an API key, if unique, user could copy API Key and change POSTS. For instance, there is a service to add point, so instead of adding 5 points, it could add 50 points by changing Call.
How should I manage this case? Issue is game is only knowing 1 API key.
I could also generate an aleatory number in server, send it to game, and then doing the operation, but it would cost me an extra call for each service, it seems to heavy for me.
I also can’t use nounces, because they are not single use, they have a lifetime:
They help protect against several types of attacks including CSRF, but do not protect against replay attacks because they aren’t checked for one-time use.
Any idea how should I deal with this case?
PD: I have no time to implement OAUTH2.0