a few years ago, following the examples published in a nice series of articles on the IBM developer network, I created a rest API, with IWS, for a company I work with. around thirty methods that were used to expose basic functions such as creation/querying/modification of customer data and orders and their progress. at the time we didn't worry too much about the security aspects, because the api were only exposed to the company's e-commerce site and only had to interact with that.
now I receive the request to make some of these api public, with the only constraint that as far as possible everything must continue to remain in the IBM/power i context and continuing to use rpg ile as the back end development language.
I would like to understand which path to take to strengthen the safety of apis.
I know very well that there are a handful of products out there that do this job: they allow the publication of apis, making life easier for those who have to manage them (at least I hope).
however, as a professional I don't mind delving deeper and understanding these features better.
now in my specific context I could certainly request basic authentication with username and password to which I can associate the generation of a jwt "token". the token, a random string of 20/25 characters should be recorded on a table, I believe, with a timestamp that declares its expiry, each request received requires validating the token received possibly updating the expiry timestamp.
alternatively I could always generate a random string of n characters that the client could use as x-api-key header.
In your personal experience, what is the best strategy for making public apis safe? In your opinion, from the point of view of RPG management, what is the best approach also in terms of future maintenance? Thanks in advance for your attention and replies.