Fetching data from authenticated API?

I’m trying to understand what the recommended method for making authenticated API calls to my own backend server is. The questions / challenges that seem relevant to this problem seem to include:

  1. How can I securely authenticate against my backend? Is there a way to leverage the device public key, transferred to my cloud server to verify device signatures to ensure that my API is talking to who I think I am talking to? Should I use a username & password entered by the user directly onto the device?
  2. What protocol should I use for making secure web requests? MQTT? HTTPS? It seems the library and support around these is lacking? Is it recommended that instead I make webhooks through the Particle.io cloud and forward data from my API back through the Particle cloud? This seems inefficient but perhaps more data efficient from a embedded device processing perspective? I want to use something that is secure and fast. Does this exist?

Solving this challenge seems like a critical part of building an IoT product on the Particle platform and I’d love to know that there are best practices established here.

Whenever possible, the easiest way to exchange data is using the Particle cloud, typically [publish and subscribe] (https://docs.particle.io/reference/firmware/electron/#particle-publish-). This connection is pre-authenticated using RSA mutual authentication (the server and device public/private key pairs) and the session is encrypted as well (AES for Photon, DTLS for Electron).

When it comes to communicating with your own server, there are two options to connect it. One is using [webhooks] (https://docs.particle.io/guide/tools-and-features/webhooks/) as you mentioned. This is particularly helpful when you want to interact with a public API.

When you’re using your own server, however, there is another possibility. In this case, I prefer to use the [SSE Event Stream] (https://docs.particle.io/reference/api/#events). Your server makes a single TLS connection to the Particle cloud and keeps it open. Whenever an event occurs, it’s immediately pushed down the connection. This is very fast and efficient, because the connection is already open. Also, it works even when your server is on a private network behind a firewall. Even if you deploy to a public server, this is very handy during development.

This is very helpful. Thank you.