[arethuza]

It does seem a bit odd - they say:

"Our backend checks if a query is legit by computing all the possible hashes using all your available API keys"

So why not just forget about the crypto (with all the risks of getting it wrong) and use an opaque bearer token?

[Xylakant]

If you want to validate a bearer token, multiple backends in different datacenters need to share a datastore that replicates at least somewhat fast. If you use HMAC-Signed URLS you just need to replicate the API keys that you use to calculate the token and the required guarantees are lower than for a bearer token. In principle, the method is sound - AWS uses a similar approach for signed URLs that allow access to S3 resources.

[arethuza]

Yes - that makes sense - thanks.

I guess it's a question of where do you store application state - do it at the server and then you have to replicate the database that stores that state. Store session state at the client and pass it to the server means you can go to any data center at the potential risk of getting the security wrong.