Merchants and application developers create applications that allow users to initiate service requests that comprise a request for information from a third party system or a request to process a financial transaction by the third party system. When these requests are processed by the third party system, the third party system must effectively verify the identity of the application conveying the request, so that the user and the merchant services are protected from fraud, identity theft, and other malicious behavior.
Traditionally, systems have verified the identity of the application conveying the request through the use of web tokens. The application can present a web token and make a request for an access token from the third party system. This authentication process requires the use of shared secrets, which gives each party access to the same cryptographic key. Under this method, in order to prove its identity to the third party system, the application must first identify itself to the merchant service's servers to be allowed access to the shared secret. This circular identification process may be burdensome to merchant services.