I built this service rendered over HTTPS.
We're using the Hawk protocol to authenticate message producers, but since the service will use HTTPS, Hawk is an overkill in my opinion.
Some of the drawbacks of using Hawk in my opinion:
- Signs whole message: overkill when you're using TLS
- Tries to be stateless on the server-side and implements a sort of message non-repeatability by including a timestamp inside the message. The timestamp has to be equal to the server-side time take or give 1 minute. This imposes time synchronizatin between client and server, which is hard to enforce.