0

I have several endpoints to be accessed by third party. (This are not registered users) I am looking for the best way to ensure no anonymous requested receive the data.

I have thought of using RSA, i give a public key through another endpoint, that expires after like 10 Minutes to requester, they then use that public key to encrypt the Data like format like {requests:'users'}, but that would mean if an outsider gets to know this format {requests:'users'}, he/she is able to request for private key, encrypt that data with it and still be in position send a successful request.

SecretAgentMan
  • 2,856
  • 7
  • 21
  • 41
Mbanda
  • 968
  • 11
  • 21
  • 1
    Why not just a standard Oauth flow with proper authorization checks on the back-end, like most major APIs accomplish this today…? – esqew Aug 06 '21 at 12:47
  • 1
    First off, I agree with @esqew, you should examine existing solutions to see if they are adequate. Second, I'm unsure what you mean by "they are not registered users". If they are not registered in some way then they **are** anonymous, so what are you trying to do here? Thirdly, the normal way you confirm that a user is registered with public key cryptography is to have them *sign* something with their private key. You then must *verify* the signature. There are of course a million more details between the concept and the implementation. – President James K. Polk Aug 06 '21 at 15:16
  • To be a bit specific is that i want to authorize server to server requests directly. – Mbanda Aug 06 '21 at 20:52

0 Answers0