...
The portal and mobile both will do a recaptcha check and pass the recaptcha response to backend for verification (portal backend in case of portal, android recapthca check in case of mobile)
Once recaptcha response is verified, an API call is made for anonymous session to fetch a token for the user
As of now we will allow only the portal and mobile app to invoke these register APIs on behalf of the user. The register API is protected by a JWT token that is injected only in mobile and portal
These tokens (which are issued to portal and mobile on behalf of the user) will have a higher rate limit (maybe 500 per hour)
A anonymous user can also directly obtain a token, how to do that is mentioned somewhere below in this post, but such token will have a very low ratelimit (maybe like 100 per hour)
Kong ACL’s will be removed as we will not require any ACL checks, the API authroriztion check will be handled by OPA and Envoy sidecars
Internal communication between services
...