This should not be merged in until the backend changes are running in prod.
We have removed nonces in favor of having an optional layer of security which protects against replay attacks and ensures request order. Clients can optionally create an API session (POST /sessions). In subsequent requests they can include this sessionId with a requestNumber which is incremented by one each time. Sessions expire after 15 minutes of inactivity.
This should not be merged in until the backend changes are running in prod.
We have removed nonces in favor of having an optional layer of security which protects against replay attacks and ensures request order. Clients can optionally create an API session (POST /sessions). In subsequent requests they can include this sessionId with a requestNumber which is incremented by one each time. Sessions expire after 15 minutes of inactivity.