I understand how to prevent replay attacks - your API user sends the current timestamp along with the API request. When I get the request on my server, I check the timestamp...if it's too old, throw away the request.
This works great if I'm using cURL on my web server or something to post to the API, because I can rely on the server time. How does this work if I want to post to the API directly from JS, though? I can't rely on the client time and I don't want to have to send the server time down from PHP and store it in JS.
Assume this is all over SSL. Thanks!