I have an PHP web site that I am connecting to a mobile application via a RESTful JSON API.
From what I know its imperative that I keep the concepts of Get/Post separated. However we're attempting to do this in a secure manor. Right now on every request we pass a public_key and hash. The public_key is used to identify the user making the request and the hash is used to authenticate them.
The hash is built off of a few factors including a private key held by both parties. And the web sever builds a hash and authorizes the request if the sever built hash matches the passed in hash.
However right now we're doing this in a post, to send the information via JSON.
With the endpoint being a url.com/api/v1/items
This endpoint should be used with an Http Get to get back all the items. But right now we're forced to doing a post even though were not sending or adding a list item to the server.
Is there a better way to be doing this? Should I be doing a base64 encoding of the auth and pushing it into a basic http auth header? Any recommendations would be great.