Implement ASAP in your service
Your service may be a client or a resource server. In the former case, it needs to include tokens with every request it makes; in the latter, it has to accept requests which include a valid token.
Normally, you don't need to worry much about the protocol. There are libraries that implement the ASAP protocol in some languages. For a complete list, see implementation.
For instance, if your service uses Java, you can use the Java implementation (also named ASAP). Check the specific instructions of each library to learn how to use it (as a client or a server) in your service.
Generate a key pair, publish the public key and deploy the private key such that the client service can use it to sign requests.
You need a new pair of (public, private) keys. For maximum compatibility, you should use a pair of RSA keys. A new key pair can be generated using openssl from the command line.
The Java implementation of ASAP also provides an easy way to generate key pairs.
Once you have the key pair, you have to:
- Upload the public key to a key repository. Typically, you may have different key repositories for each environment (Dev, Staging, Prod).
- Keep the private key secret! Your service needs to know it, so think about how are you going to deploy it with your service. Do not check it in the source code repo!
Configure the location of the public key repository for your resource server. Your service needs to know the location (base URL) of the public key repository so that it can verify and validate client requests.
Typically, you may have different key repositories for each environment (Dev, Staging, Prod).