[ah1508]

Thanks for your answer.

Without the proxy the client would request a specific instance of the API (university 1, university 2, NGO 1, NGO 2), which then would be responsible for forwarding the data to the other. What if he changes the code and forward a false data:

user A votes for candidate X (HTTP POST request received by API deployed at university 1). API deployed at university A is compromised (by the university itself or not) and the information persisted in the DB is "user A votes for candidate Y". This information is then forwarded to other API.

If a proxy like NGINX is responsible for request forwarding the problem is solved (assuming that all parties trust nginx and its "mirror" module). https://nginx.org/en/docs/http/ngx_http_mirror_module.html

[3np]

no, no forwarding. have the client contact all sites directly.

> What if he changes the code and forward a false data:

Presumably you will find a cryptographer to help you construct a scheme preventing this via cryptographic signatures. You'd do well to investigate prior art.

[ah1508]

You're right, we can get rid of the proxy. If the multiple API calls are made from the browser it is even more traceable, user can see these requests in the source code and from the devtools network console.

Each API has its database which contains the accesskey for each user, if this data is stolen the attacker can send HTTP POST requests to API with valid access key. To reject these forged request a code can be sent to the user in the invitation message while each database has a bcrypt hash of the code along the access key. When an API receives a POST requests it can check if the code present in the request body matches with the hash he has in its database. So having the access key is not enough to send request, someone who steal a db cannot do anything with the data and cannot propagate false data to other APIs.

[3np]

I recommend you read up some more on prior art and work before digging the design deeper.