I would like to create GUI + API that calls third party API as follows:
- third party API is consumed once a day by my API,
- GUI user doesn’t have to log in every day (eg. can log in only once every 30 days to request data from my API)
- design my API scalable
The flow of system:
- desktop/browser GUI sends request with 3rd party API credentials to my API
- my API prepares request to 3rd party API to get JWT token
- after retrieving token the JWT is used to request data from 3rd party API and store it in database
Since each request for collecting data requires valid JWT token, I have come across a few problems on how to make API collect data each day without any user interaction.
Things I have thought of (and optionally reasons why I've rejected them - which may be wrong)
- Since JWT is valid for 30 days by default, maybe I could store it in (for example) Azure KeyVault?
- ...but on the other hand I feel uncomfortable storing JWT when it's not needed. Therefore, I thought of storing credentials for each client in database and reducing token's lifetime to (let's say) 5 minutes, so I have it just for the time it's needed. But if I was to store those credentials, afaik I should store them hashed (if I am not wrong - I won't be able to use them in request for JWT)
My questions are:
if I am correct and ideas presented above are wrong - I would like to hear more remarks (just for self development)
what is the proper way of designing application (my API in that case) so it can securely deal with credentials/JWT and securely prepare requests for many days without user interacting with it.
any remarks related to any aspect of such system are welcome
