Ron McLeod wrote:Take a look at the approach in this post. It uses HMAC-based authentication based on a shared secret and the request's metadata/contents. The HMAC will be different with each request, and by using time as one of the factors, cannot be replayed (outside of the server's grace period).
Thank you so much for the answer.
So basically it is better to use REST API, so it will be more scalable and used from different clients.
Could you give any other advice on this matter from architectural point of view ?