Ephemeral APIs and/or ZKP-Enabled APIs that is an extension of OAuth Access Token Expiry mechanism

nathanaw
Participant V

Hello! I am an API architect and I am exploring solutions around ZKP-Enabled and/or Ephemeral APIs that is an extension of OAuth Access Token Expiry mechanism.

Through OAuth, we are able to expire token and revoke access. However, we want to all together either (1) expire the data that was returned by the API call or (2) have an API that merely tells you sufficiently enough

Is ZKP-Enabled Ephemeral APIs something that is achievable?

Solved Solved
0 2 166
1 ACCEPTED SOLUTION

Seems like an interesting discussion but hard to conduct over this Q&A format. Many questions.

Have you looked at JWT POP tokens? Does that help?

The JWT schema includes an element to express expiry. You could deliver data (Response) wrapped in a JWT and include an expiry claim. Not sure if that would be sufficient. It would require the client to observe the expiration voluntarily. (There would not be a way to "enforce" expiry as with some DRM systems)

I don't know what "Have an API that merely tells you" implies

Also I don't know how Zero Knowledge Proof relates to your question. Probably if you are implementing a ZKP Protocol it's better to implement it in a mainstream server hosting environment using your favorite programming language (golang, nodejs) rather than trying to persuade an Apigee proxy to do all the work. Probably.

View solution in original post

2 REPLIES 2

Seems like an interesting discussion but hard to conduct over this Q&A format. Many questions.

Have you looked at JWT POP tokens? Does that help?

The JWT schema includes an element to express expiry. You could deliver data (Response) wrapped in a JWT and include an expiry claim. Not sure if that would be sufficient. It would require the client to observe the expiration voluntarily. (There would not be a way to "enforce" expiry as with some DRM systems)

I don't know what "Have an API that merely tells you" implies

Also I don't know how Zero Knowledge Proof relates to your question. Probably if you are implementing a ZKP Protocol it's better to implement it in a mainstream server hosting environment using your favorite programming language (golang, nodejs) rather than trying to persuade an Apigee proxy to do all the work. Probably.

thank you. I have looked at JWT POP. I am thinking in an expansive and futuristic way -- the future of APIs are such that the data that are returned are transient and temporal.