How Can I Secure My Web API Against Unauthorized Access Even with Authentication?

As tough as this sounds, protecting the data on the client side is inherently risky. You could look into envelope encryption where the client generates a temporary key to handle decryption on the fly. Just remember, anything that runs on the client side can potentially be exposed. The best defense is often to keep sensitive logic server-side.

You might think about implementing IP blocking for authorized clients, but as others pointed out, if a rival runs software on the same machine, they could still mimic your service's API calls. The real answer might be restructuring your application so that sensitive operations happen on the server, keeping the client app less vulnerable.

Your project seems interesting, but to be real, if someone has access to the client PC, they could find a way to exploit it. Focusing on detecting unauthorized access and adding measures like session invalidation for reused tokens might give you more peace of mind than focusing solely on obstruction.

Honestly, it's tough to completely prevent others from accessing your data once they're determined enough. While you can make it more complicated for rivals to retrieve data, there’s no foolproof way to stop them if they have a legitimate access path. Maybe consider server-side decryption with strict rate limits on API usage. It won't stop everyone, but it can make things more challenging for unauthorized users.

I feel you on this concern, but you have to remember that no matter what security measure you implement, a skilled developer could reverse-engineer your application. Instead of just focusing on protecting the data, you might want to think about making the API workflow more complex with elements like one-time tokens to validate requests.