>Hi all,
>
>On a customer app, the VFP app communicates with a document server for pushing documents into the repository (the VFP app holds most of the meta data on the documents). All of the calls are via a rest api on the server. Up to this point, with every call to the server, I have passed the credentials in clear text. Client would like this tightened up so no creds exposed. Here is the setup:
>
>- on the VFP side, the password is stored encrypted and decrypted before sending
>- the api receives it and then uses LDAP to authenticate the user
>
>- on the VFP side, I have access to a function that supports TripleDES encryption (via Rick Strahl's encryption library)
>- but on the document server, they only have access to AES encryption libraries
>
>My original thought was to encrypt the password and the key would be stored on both sides (obfuscated as well as possible) but with different encryption protocols, this does not work
>
>Are there any other approaches I could use to solve this? Are there any common Windows function libraries that might work since that would be available both sides?
>
>Albert

It is a little strange a REST API based system expects to have a password on each call. Can't you talk with the developer of the API so it can use something like oAuth?

PS: If it is more like sending and receiving the communication encrypted, then you might use https ( letsencrypt provides open source certificate and candy server by nature provides https for example).