auth_key
) that is used to encrypt the communication between an App and a PKSA is usually provided offline and changes with each authentication request.auth_key
to the PKSA with the authentication payload, but this would allow the HAS server to decrypt all your communication. Unless you run your own HAS server, that's not a good idea. Even with your own HAS server, it could be that another PKSA where you registered your account could receive the authentication request (and the auth_key
that would come with it).auth_req_secret
) to encrypt the auth_key
. This means that only that specific PKSA service will be able to decrypt the auth_key
provided by the App. Up to the App to have the auth_req_secret
hard-coded or retrieve it from a config file or user input.