How can I do a signed url in Aidbox?

[pavlushkin]

I need to create an URL for a custom operation with an access token like JWT. In the JWT token we put Composition id.
This custom operation should be able to query another custom endpoint with a given resource id and only this id.

[KGOH]

Solution could be 2 custom operations:
One to generate signed url: create a jwt with url of the desired endpoint or resource id, expiration, etc
Another operation to process it: get token from the url, put it to headers
And access policy to allow access to the endpoint by checking jwt claims

[KGOH]

We are also thinking about new RPC for aidbox:
It should generate a JWT token with AccessPolicy so one can give an access to a range of endpoints or have a fine restrictions on a specific one.
JWT token also should contain user/client id on behalf of whom request will be processed. If on-behalf uid/cid will get 403 on for a request, then access via signed url should also give 403 even if the policy contained in the token allows it.
Expiration must be set in the JWT.
Aidbox should mark logs of access via signed url as anonymous access and retain original uid/cid.
We also should ensure that you can't access one box with signed url of another one

It is yet to decide whether the signed url should be the same as the one you give access to or some kind of random string, i.e.:
GET /Composition/1?signed-access=<token>
or
GET /$signed-access/<token>