Hi,
I think the easier solution is keeping the schema of posting user updates to your partner's endpoints, but with the following considerations:
- The API implemented by your partners should be REST JSON/Based (avoid heavy protocols like WS/SOAP)
- Keep API objects as simple as posible, and use just the HTTP status code as the service response (they should return just a HTTP 200 OK to indicate a successful operation, do not ask them to build a JSON response)
- Implement a retry mechanism to handle partners downtime, with an exponential backoff on the retry frequency, and depending on how critical is the reception of the update, you can discard non accepted updates, or pause the partner and send a formal notification (email)
- JWT is not the best solution, because it requires an initial login to get the token, has expiration date, etc
- I recommend working with REST over HTTPS, but including a signature in every request you send. So your partners can sign the relevant section of the request, and compare with the signature using a pre-shared, per-client token. So they can validate that the request comes from your app
- This security mechanism is quite standard and used by a lot of payment gateways, so it's secure
- If you want to simplify even more the integration, you could provide some libraries, so they can use it to validate the signature without knowing about encryption, etc
Let me know if you have additional doubts.
Regards,
Santiago - [login to view URL]