[smashed]

Your first approach reminds me of http message signature:

https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-...

Library support for it is spotty, depending on your framework of choice but they exists.

Your second approach is covered by oAuth refreshable tokens I believe.

I went through the same process as you in an API project, eventually ended up using Keycloak as the auth server.

[georgekb]

Wow, never heard of HTTP Message Signatures until now. However, like I said, Clock skew is a huge problem in this method. I found out about it much later after implementation when I used the client on some old Windows machine whose clock wasn't synchronized and I spent like a day until I figured out it was the clock skew which made this whole method look suspicious to me even it's obviously much more secure. It could be great in a microservice environment where you're pretty sure that all your endpoints have well synced clock, but when your clients are browsers and PCs, it is about time until you experience it.

As for the second approach, yes exactly it's very similar to OAuth2. In fact I guess this is the method used by GCP APIs by service accounts. The clients use their long-lived secrets to get an oauth2 access token, this access token is JWT I guess that also contains authorization information such as scopes.