Designing Secure API Interfaces with Token, Timestamp, and Signature Mechanisms

API interface security is built around three mechanisms—token, timestamp, and signature—to ensure data integrity and prevent replay attacks.

Token Authorization Mechanism

After a user logs in with username and password, the server returns a token (usually a UUID) and stores the token‑userId pair in a cache. The token is used as a credential for subsequent requests; if the token is missing or invalid, the request is rejected.

Timestamp Expiration Mechanism

Each request includes a current timestamp. The server compares it with the current time and rejects the request if the difference exceeds a predefined limit (e.g., five minutes), which also helps mitigate DoS attacks.

Signature Mechanism

The token, timestamp, and other parameters are concatenated and hashed with MD5, SHA‑1, or a salted variant to produce a signature (sign). The server recomputes the signature and compares it with the received one; a mismatch indicates tampering.

Optional Replay‑Prevention

The first request’s signature can be stored in the cache with the same expiration as the timestamp. Subsequent requests with the same signature within that window are rejected, ensuring a URL cannot be reused even if intercepted.

Typical request flow:

Client logs in and obtains a token.

Client generates a timestamp and includes it as a parameter.

Client sorts all parameters (including token and timestamp) and hashes them to create the signature.

Client appends token, timestamp, and signature to the request URL, e.g.,

http://api.com/users?token=asdsadasd×tamp=123&sign=123123123

.

Server validates token, checks timestamp freshness, and ensures the signature is not already cached before processing the request.

When all three mechanisms are applied, tampered requests fail signature verification, replay attacks are blocked, and DoS attempts are mitigated. In practice, projects may adopt a subset of these measures based on security requirements.