July 2021
Intermediate to advanced
480 pages
14h 40m
English
Content preview from API Design Patterns
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
30 Request authentication
This chapter covers
- Requirements of a request authentication system
- Overview of digital signatures
- Credential generation, registration, and signing
- Fingerprinting HTTP requests
- Communicating the details of a signature
- Verifying signatures and authenticating HTTP requests
In this pattern, we’ll explore how and why to use public-private key exchange and digital signatures (https://en.wikipedia.org/wiki/Digital_signature) to authenticate all incoming API requests. This ensures that all inbound requests have guaranteed integrity and origin authenticity and that they cannot be later repudiated by the sender. While alternatives (e.g., shared secrets and HMAC; https://en.wikipedia .org/wiki/HMAC) are acceptable in the majority ...