Hi, can I suggest that you support optionally also public key signing for HMAC auth type
Have seen this elsewhere and would be a great enhancement to the security of HMAC auth type.
So essentially an option for HMAC auth where they key does not automatically generate a shared HMAC secret,
but instead the client generates an RSA public/private key pair and then sends the public key to us which is held with the tyk key (instead of the HMAC secret).
On receiving the request the only change to HMAC auth is the check the signature has been signed by the private key (using the public key this is possible of course)
- No need to work out how to securely transfer the HMAC secret to the client, the public key can be shared freely as its not used for the signing
- Non-repudiation is strengthened. As we never have the private key only the client could have signed that request