Design and Security Practices for Third‑Party API Authentication and Authorization

The article outlines a complete solution for exposing third‑party APIs, beginning with the generation of unique Access Key (AK) and Secret Key (SK) pairs for each client and describing how AK identifies the application while SK is used for signing and encryption.

It then explains permission segmentation using appId, appKey, appSecret, and token, showing how these elements map to different access levels and how they can be stored and indexed in a database.

Signature flow is detailed: clients combine request parameters, a timestamp, and a nonce, sort them alphabetically, concatenate the values, append the secret, and compute an MD5 hash to produce the sign . The server validates the timestamp (within 60 seconds) and checks the nonce against Redis to prevent replay attacks.

Signature rules include adding a timestamp, a random nonce (at least 10 characters), and the final sign field to the request header, ensuring both freshness and uniqueness of each request.

API design examples cover RESTful endpoints for resource CRUD operations, HTTP method choices, pagination parameters, and standardized response structures (code, message, data). Additional best practices such as HTTPS, IP white‑listing, rate limiting, request logging, data masking, idempotency, versioning, and unified error codes are also discussed.

Anti‑replay protection is illustrated with a Java interceptor implementation:

public class SignAuthInterceptor implements HandlerInterceptor {
    private RedisTemplate
redisTemplate;
    private String key;
    // constructor, preHandle, signature generation, etc.
}

Secure transmission using TLS is demonstrated with a Java SSLContext setup:

SSLContext sslContext = SSLContext.getInstance("TLS");
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(new FileInputStream("keystore.jks"), "password".toCharArray());
// initialize key managers, trust managers, and create HttpsURLConnection

Finally, the article describes token generation and usage, differentiating API tokens (for unauthenticated endpoints) from user tokens (for authenticated actions), and shows how tokens are stored in Redis and validated on each request.