[3np]

I think it's a very important and interesting problem you're tackling and you probably need to iterate a bit further on several points of the architecture and protocol.

As to your main question re the proxy: Why is there a proxy in the first place? The client could just make the same requests the proxy would directly to the multiple parties, obviating the for it, no?

[ah1508]

Thanks for your answer.

Without the proxy the client would request a specific instance of the API (university 1, university 2, NGO 1, NGO 2), which then would be responsible for forwarding the data to the other. What if he changes the code and forward a false data:

user A votes for candidate X (HTTP POST request received by API deployed at university 1). API deployed at university A is compromised (by the university itself or not) and the information persisted in the DB is "user A votes for candidate Y". This information is then forwarded to other API.

If a proxy like NGINX is responsible for request forwarding the problem is solved (assuming that all parties trust nginx and its "mirror" module). https://nginx.org/en/docs/http/ngx_http_mirror_module.html

[3np]

no, no forwarding. have the client contact all sites directly.

> What if he changes the code and forward a false data:

Presumably you will find a cryptographer to help you construct a scheme preventing this via cryptographic signatures. You'd do well to investigate prior art.

[ah1508]

You're right, we can get rid of the proxy. If the multiple API calls are made from the browser it is even more traceable, user can see these requests in the source code and from the devtools network console.

Each API has its database which contains the accesskey for each user, if this data is stolen the attacker can send HTTP POST requests to API with valid access key. To reject these forged request a code can be sent to the user in the invitation message while each database has a bcrypt hash of the code along the access key. When an API receives a POST requests it can check if the code present in the request body matches with the hash he has in its database. So having the access key is not enough to send request, someone who steal a db cannot do anything with the data and cannot propagate false data to other APIs.

[3np]

I recommend you read up some more on prior art and work before digging the design deeper.