I’m trying to understand what the recommended method for making authenticated API calls to my own backend server is. The questions / challenges that seem relevant to this problem seem to include:
- How can I securely authenticate against my backend? Is there a way to leverage the device public key, transferred to my cloud server to verify device signatures to ensure that my API is talking to who I think I am talking to? Should I use a username & password entered by the user directly onto the device?
- What protocol should I use for making secure web requests? MQTT? HTTPS? It seems the library and support around these is lacking? Is it recommended that instead I make webhooks through the Particle.io cloud and forward data from my API back through the Particle cloud? This seems inefficient but perhaps more data efficient from a embedded device processing perspective? I want to use something that is secure and fast. Does this exist?
Solving this challenge seems like a critical part of building an IoT product on the Particle platform and I’d love to know that there are best practices established here.