Hi guys,

I want to set a policy to limit the use of the plone.restapi unless there is a specific token sent from the caller in the header. For example, I want to allow specific mobile apps to use the APIs, but not to open it for the public.
I already check the COSR policy in plone.rest, but looks that web-oriented.

Is there a way to do it?

plone.restapi usage can be locked down by a permission and custom role in your custom rolemap.xml:

<?xml version="1.0"?>
<rolemap
joehealy@gmail.com>
  <roles>
    <role name="My Secret Role Name" />
  </roles>
  <permissions>
    <permission name="plone.restapi: Use REST API" acquire="False">
      <role name="Manager" />
      <role name="My Secret Role Name" />
    </permission>
  </permissions>
</rolemap>

Then use pas.plugins.headers configure it to apply a roles_header within the request. Like "My-Secret-Header: My Secret Role Name".

So, this is not super secure. One knowing which header to set always can access the API. That said it is security by obscurity which is never good.

To have it real secure you need to close the restapi by a role as above and login the users, having them in a group with the role applied.

Thanks Jensens for your feedback. I will try it
The point here is that I want to authorize the source initiating the call first, then allow it to make calls to APIs which are well-protected with roles and permissions as they are right now.