How to Secure Third‑Party APIs with AK/SK, Signatures, and Token Strategies

Design Overview

Generate a unique Access Key/Secret Key (AK/SK) pair for each third‑party application, use AK for identification and SK for signing/encryption. Clients create a signature from request parameters, timestamp and nonce, and include it in headers for authentication.

Permission Division

Define appId as the global identifier, appKey (public) and appSecret (private) as a pair, and token for temporary access. Multiple appKey+appSecret pairs can be bound to the same appId to achieve fine‑grained permission control (read‑only, read‑write, delete, etc.).

Signature Process

Clients send timestamp (ms), nonce (unique random string) and sign (MD5 of sorted parameters + secret). Server validates timestamp freshness (e.g., within 60 s), checks nonce uniqueness in Redis, recomputes the signature and rejects replayed or tampered requests.

Signature Rules

Assign appId and appSecret to each caller.

Add timestamp (server time, 5‑minute validity) to mitigate DoS.

Add nonce (≥10 bytes) to prevent duplicate submissions.

Include sign calculated from all parameters and secret.

API Design Example

Typical REST endpoints (GET/POST/PUT/DELETE) with pagination, request/response formats, HTTP status codes, and a unified JSON response structure {code, message, data}. Use POST for all operations to avoid URL parameter exposure.

Security Considerations

Enforce HTTPS.

Validate AK and signature on every request.

Encrypt sensitive data with TLS.

Implement IP whitelist or Sentinel for additional protection.

Rate‑limit per IP using Redis counters.

Log requests for audit.

Mask sensitive fields in logs.

AK/SK Generation

Provide a management service to create, store (DB/Redis), rotate and distribute AK/SK securely. Store credentials in a table api_credentials with fields id, app_id, access_key, secret_key, valid_from, valid_to, enabled, allowed_endpoints, created_at.

Token Mechanism

Issue UUID tokens after user login; store token‑to‑user mapping in Redis with expiration. Use token together with signature for stateful APIs.

Implementation Samples

Java Spring interceptor SignAuthInterceptor validates timestamp, nonce and signature, stores nonce in Redis for 60 s, and rejects invalid requests. TLS setup example shows creating SSLContext and using HttpsURLConnection. Enum CodeEnum and class Result define unified response codes.

Best Practices

Separate API key management from business logic.

Rotate keys regularly.

Use RSA for encrypting sensitive payloads.

Version APIs (e.g., /v1/, /v2/).

Document APIs with Swagger.