[3np]

no, no forwarding. have the client contact all sites directly.

> What if he changes the code and forward a false data:

Presumably you will find a cryptographer to help you construct a scheme preventing this via cryptographic signatures. You'd do well to investigate prior art.

[ah1508]

You're right, we can get rid of the proxy. If the multiple API calls are made from the browser it is even more traceable, user can see these requests in the source code and from the devtools network console.

Each API has its database which contains the accesskey for each user, if this data is stolen the attacker can send HTTP POST requests to API with valid access key. To reject these forged request a code can be sent to the user in the invitation message while each database has a bcrypt hash of the code along the access key. When an API receives a POST requests it can check if the code present in the request body matches with the hash he has in its database. So having the access key is not enough to send request, someone who steal a db cannot do anything with the data and cannot propagate false data to other APIs.

[3np]

I recommend you read up some more on prior art and work before digging the design deeper.