[Aqua_Geek]

> Are you attempting to reencrypt the parameters with another key? If so then why run that through https?

I think they are talking about generating a hash from all of the parameters in the request + a secret, pre-shared key. Doing so prevents MITM attacks from changing the parameters.

IIRC, Amazon does this (among many others).

[jbrendel]

Exactly. Have a look here for some information on how to do this: http://www.thebuzzmedia.com/designing-a-secure-rest-api-with...

[Bjoern]

This article also inspired me to lockdown my own API I designed, its really good advice. The question is only, they wanted to provide a very simple interface, what is the right trade-off security vs. developer UI?