Lets say you are designing a new API. The consumer of your API is a mobile app that periodically sends requests in the background, but you expect other consumers as well, such as web apps or servers.
Now lets consider two schemes:
In scheme number one, you create a login endpoint that accepts your username and password, and in response issues a short-lived JWT.
In scheme number two, the client of the API uses an HMAC signature to sign each request, just like Amazon protect their API
How would you compare the two? it seems that scheme number two is more computationally intensive for the API client, but in both schemes it all boils down to one secret key/password that you must keep on your device or server. How does it make scheme number two more secure?
Then you have scheme number three which is OAuth2, but does it make sense if there is no third-party involved?
Thanks.
