In this blog post, the author discusses the importance of authenticating consumers to an API, emphasizing the use of symmetric “signing” (MACs) over asymmetric tools to prevent security vulnerabilities. The author provides insights on how to properly sign JSON objects and offers alternative approaches to in-band JSON signing, highlighting the complexities of canonicalization. The author analyzes the evolution of request signing in popular services like AWS, pointing out vulnerabilities in previous versions and advocating for secure authentication methods like TLS and HMAC. The blog concludes with practical recommendations for ensuring API security and simplifying the signing process.
https://www.latacora.com/blog/2019/07/24/how-not-to/