auth_key) that is used to encrypt the communication between an App and a PKSA is usually provided offline and changes with each authentication request.
auth_keyto the PKSA with the authentication payload, but this would allow the HAS server to decrypt all your communication. Unless you run your own HAS server, that's not a good idea. Even with your own HAS server, it could be that another PKSA where you registered your account could receive the authentication request (and the
auth_keythat would come with it).
auth_req_secret) to encrypt the
auth_key. This means that only that specific PKSA service will be able to decrypt the
auth_keyprovided by the App. Up to the App to have the
auth_req_secrethard-coded or retrieve it from a config file or user input.