In order to improve the security of our mobile applications API we have decided to use one time keys that will verify that the request is authenticated. After making the request with that key, the key won't be usable anymore, and the server will the return the new usable return key. An example JSON request would be like;
{"secretKey":"aXbtF&5","data":"Some stuff that will act like data"}
I have several questions. First question would be related to the implementation of the making the key "deactivated". I would not want the key to be used for the second time, since I will be providing the new key in API's response. We are using Node.js and Redis and the only way I think to make the key not usable again is to store the keys in Redis and later on checking if the request includes the key that is saved in Redis. Later on using some sort of cron job we will delete the keys and swap the dictionaries used by our algorithm. However this does not sound reasonable since we are expecting like 7K requests per second and I dont think storing every key would be an efficient way.
Other question I have is the correctness of this system. Assuming the implementation done without any problem, would the system cause a dead end, if even for once server could not produce the new key. The client won't be able to retrieve the new key, old key won't be usable and client wont be able to make any requests.
What security pattern would be the best to apply or my method with some modifications could be applied for production?