Hi, Currently we use username/password base authentication when retrieving and publishing metadata via metadata service API. The issue with this approach is one client can access/alter other app's data if it know the application id. I suggest to use oAuth to secure resources and let the client access only the metadata related to its application. I am doing R&D on possible ways of accomplishing this task and will update the thread on my finding. Currently I am assesing the feasibility of WSO2 IS Oauth feature and WSO2APIM key manager feature.
-- Udara Liyanage Software Engineer WSO2, Inc.: http://wso2.com lean. enterprise. middleware web: http://udaraliyanage.wordpress.com phone: +94 71 443 6897