Servers could use their private key + the userId to create an HMAC hash that can be passed to the client, then the client can send that plus the app's public key and the userId to authenticate themselves to the API server.
This removes the need for the roundtrip to the api server to generate a personal api-key for each client.
Servers could use their private key + the userId to create an HMAC hash that can be passed to the client, then the client can send that plus the app's public key and the userId to authenticate themselves to the API server.
This removes the need for the roundtrip to the api server to generate a personal api-key for each client.