Comment by hparadiz
13 days ago
This is a solved problem in the authentication space. Short lived tokens backed by short lived keys.
A token is generated that has a timestamp and is signed by a private key with payload.
The public key is available through a public api. You throw out any token older than 30 seconds.
Unlimited IDs.
That's basically what you want.
Which either allows to use a fingerprint of the signing key to be used for the same.
Or would open the system up to the originally posted attack of providing ~an open relay.