I have actually tested out a system like that. I use a lot of external apis in AWS and looked at ways to create unique tokens on the fly to make authentication and authorization easy on the receiving end.
It doesn’t fit the use case discussed here, but might be an inspiration for others. In short, wrote a small serverside plugin with crypto (vanilla-node, so no dependancies).
The plugin takes whatever string or array I throw at it, and creates a encrypted token with aes-256-ctr. The tokens contains an iv cipher, so if I encrypt the same string twice, each token will be unique.
The token is then decrypted on the other end, and the values can be used in conjunction with the standard parameter values.
Compared to JWT this is much more secure as the token can’t be read, but because iv ciphering uses a random buffer, each encrypted string will be unique although the data doesn’t change. For the same reason, the auth token in the recipient api cant be cached, so there is some added latency.
I’m still hesitating to implement this live as each api call takes 500-1000 ms longer.