| I would use JWT restricted to a specific algorithm.. or.. Use something like GCP service-accounts. So require that the client provides a service account ID that they control, and that the requests are authenticated with an id_token from the given service account, and audience set to your service. That way you won't need to exchange secrets or keys, and consumer can delegate permissions within their organization. I'm pretty sure AWS IAM has similar mechanisms for delegating access. If based outside the cloud it doesn't add much for your customer, but if you customer is in the cloud they won't have to manage secrets. Downside is vendor lock-in, of course, but supporting multiple cloud vendors wouldn't be hard. Maybe not the most idealistic solution, but very pragmatic -- especially if your customer is in a cloud already. disclaimer: I work for Google (not GCP), these are my personal views. |