I need to implement a web application for the user to exchange money. The application must invoke API # 1 to retrieve the exchange rate and display it on the screen to confirm it. And then invoke another API # 2 (the same API provider) with that type of change confirmed to execute the exchange of money.
To avoid storage of the state on the server and to prevent the user from modifying the exchange rate, what occurs to me is that API # 1 needs to return a simple exchange rate along with its corresponding encryption using a symmetric key. Then pass the encryption to API # 2 for the execution of the transaction.
I am right? How to implement encryption securely? Symmetric password per user with logon name and logon time stamp? Or generate a random session key for each login session?