We need to implement something along these lines to secure our API. This is interesting, but I need help understanding why the server can't just provide a random session_key after successful authentication? As long as that session_key is valid on the API then do I care about GUIDs and Public Keys? What is the "Needham-Schroeder-Lowe Public-Key Protocol" portion of this providing?
reply