In order to secure cloud REST services we want to make use of API Keys
QR Invoice REST Standalone should still work without API Keys, if this feature is not turned on
API Key is passed as a Query Parameter named "api_key"
API Keys will be a alphanumerical (ascii) key - secure generation is to be defined
API Keys can be managed in files (one file / multiple files)
API Key should be checked in a custom filter or through spring security. What fits best.
Per API Key some basic customer information has to be stored (customer id / customer name)
Ideally new API Keys can be added and picked up by QR Invoice REST Application without restarting the service
Customer id is added to logs through MDC (https://www.baeldung.com/mdc-in-log4j-2-logback#mdc-in-slf4jlogback)
API Key is added as an optional security definition in swagger, therefore authentication is possible in SwaggerUI
Example how to define API Key Security through Springfox: https://github.com/springfox/springfox/issues/2494#issuecomment-398634553