Designing Secure Third‑Party API Interfaces: Authentication, Signature, Token and Permission Management

When providing interfaces for third‑party systems, data security concerns such as tampering, staleness, and duplicate submissions must be addressed.

Design Overview

1. API Key Generation : Generate a unique Access Key/Secret Key pair for each third‑party application; the Access Key identifies the app, while the Secret Key is used for signing and encryption.

Permission Division

appID is the unique identifier of the application. appKey+appSecret together define permissions, allowing multiple appKey+appSecret pairs per appID for fine‑grained access control.

appKey: public key (account identifier)

appSecret: private key (password)

token: temporary credential with expiration

Signature Process

Each request must include timestamp , nonce and a sign generated as follows:

Collect all parameters (including appId , timestamp , nonce ) except sign and empty values.

Sort parameters by key in ascending order.

Concatenate as key1value1key2value2…keyNvalueN .

Append the secret key, then compute the MD5 hash and convert to uppercase; the result is sign .

Example:

appId=zs001&k1=v1&k2=v2&kX=vX&method=cancel&nonce=1234567890&timestamp=1612691221000
sign = MD5("appIdzs001k1v1k2v2kXvXmethodcancelnonce1234567890timestamp1612691221000" + "miyao").toUpperCase()

Anti‑Replay Measures

Combine timestamp (valid within 60 seconds) and a unique nonce stored in Redis; reject requests with expired timestamps or reused nonces.

Token Management

After successful authentication, the server issues a UUID token stored in Redis. Subsequent requests include the token for identity verification; token expiration and revocation are enforced server‑side.

API Interface Design Example

GET /api/resources – list resources (page, limit)

POST /api/resources – create resource (name, description)

PUT /api/resources/{resourceId} – update resource

DELETE /api/resources/{resourceId} – delete resource

All endpoints require the signed headers and token, use HTTPS, and return a unified JSON response containing code , message , and data .

Security Best Practices

Enforce HTTPS for data transmission.

Validate signatures on the server side.

Encrypt sensitive data with TLS.

Implement IP whitelist, rate limiting, request logging, and data masking.

Provide versioned APIs to avoid breaking changes.

The article also includes Java interceptor code for signature verification and a SQL script for storing API credentials.