So, you have web client who want to call some rest service calls. How can you secure these calls?
TRUST OF THE CLIENT
The solution is below and is used also from Amazon Web Services
A server and a client have a common secret. They both know the private key of the client. The public key of the client is known to everyone.
When the client wants to send a request to the server, it has to create a unique HMAC, which is being created combining the request data. He sends also his public key with the URL.
The server gets the request and re-generates it’s own unique HMAC (hash) based on the submitted values using the same methods the client used. He uses the client public key to find the private key of the client.
The server then compares the two HMACs. The client is trusted only if they are equal.
That’s all with the trust of the user sent the request
The best mechanism for defense against a replay attack is to ensure all your requests are made over an SSL connection