We have an Android App written in Java that performs HTTPS calls to our mobile API server running ASP.NET Web API 2 (C#). Some API methods require authentication, and some methods are "open". Protecting "open" methods is not required, but we still want to protect those "open" calls with digital signatures.

So Android app will have a Private Key to sign the "open" API calls with. The strategy of delivering that private key into the app is irrelevant for this question, but it could be either one of a) one key for all users, embedded (hardcoded) in the APK file, or b) different key for each user, delivered to the phone from server as part of users "email verification" process.

Let's just assume that "somehow" app has that Private Key, and the API server has the corresponding Public Key. So what would be the recommended crystallographic schema to sign the API call to server?

Possible Alternatives:

• use app's PrivKey to create a Certificate and then app would use that Certificate in HTTPS connection to server, and server would know that this request is legit. In this schema, nothing needs to be signed in the API call or its payload
• user app's PrivKey to sign API call's "payload", and add the signature to HTTP Headers, or to JSON being sent to server. What kind of standards do we have here? Any standard header names? Any standard fromats for digitally signed JSON payloads / envelops?

Please advice! Thank You!