A Token-Based User Authentication Mechanism for Data Exchange in RESTful API

The RESTful Web-Service API is widely used to support interoperable machine-to-machine interaction over a network. RESTful API allows the server to authenticate each client by cookies or session on HTTP protocol. However, it is easy for a hacker to steal the identification information, e.g., by tapping the broadcast packets or by providing a fake proxy to do so. With the stolen identify, the hacker can disguise himself as an authenticated client to interact with a server. In this research, we propose a new mechanism called disposable token, which is based on token authentication of RESTful API on HTTP protocol. This mechanism asks a client to store the public and private token-pair computed by the server. In each communication, the client uses the stored public token, private token and the current timestamp to produce a disposable token, which is subsequently received by the server for verification. With this mechanism, each communication will be valid only in a fixed period of time, thus reducing risks of stolen identity.