JavaScript-helping to solve a design logic problem

I have a multiple server
One of them is responsible for business logic, saving all business data, and providing only private API interfaces to outsiders. Temporarily named as API server;

The second server, which is provided to the public number or Web page, mainly holds the static HTML and JS as well as some PHP files that interface to the API server. Temporarily named as the WeChat server.

When users use, can only access WeChat server, sent to WeChat server request, through the server private strong encryption API interface Request API server, so that external access can rely on the OpenID to judge.

But now there is a new requirement that the API server provides a new feature that is open to users with attribute A, and that the associated information for attribute A and OpenID is stored on the API server (both MySQL and Redis exist). But I need on the WeChat server to give the user whether it has access to this resource.

Here are a few ways to help you find out which one is good, or whether there is a better way.
1, WeChat server directly to access the data table on the API server. This is physically possible, but it is too illogical to feel different services accessing data across servers.

2, on the API server to do a new interface Api:ifopenidhasa. This feeling is a bit of a waste of resources, slowing down system speed.

3, on the interface of resource A to do the check, request resource A when the request to determine whether the WeChat server with parameter a. This seems fine at the moment, but what if there is a parameter ABCD corresponding to the different resources? And if there is a super-user has all the permissions of the parameters and how to do not know.

Add: There may be some places that are not very clear, add:
API interface is to go encrypted, currently only WeChat server sent past the encrypted traffic can access, is done in this authentication. Now the API server can only connect to the WeChat server, external is not visible. Later also do not intend to do open API, are by WeChat server or later own app, are encrypted. Now you can think of the WeChat server is actually a client (cloud client or Web client, etc.).

However, if you really want to do the app after this, you may not be able to use the method 1.

Reply content:

I have a multiple server
One of them is responsible for business logic, saving all business data, and providing only private API interfaces to outsiders. Temporarily named as API server;

The second server, which is provided to the public number or Web page, mainly holds the static HTML and JS as well as some PHP files that interface to the API server. Temporarily named as the WeChat server.

When users use, can only access WeChat server, sent to WeChat server request, through the server private strong encryption API interface Request API server, so that external access can rely on the OpenID to judge.

But now there is a new requirement that the API server provides a new feature that is open to users with attribute A, and that the associated information for attribute A and OpenID is stored on the API server (both MySQL and Redis exist). But I need on the WeChat server to give the user whether it has access to this resource.

Here are a few ways to help you find out which one is good, or whether there is a better way.
1, WeChat server directly to access the data table on the API server. This is physically possible, but it is too illogical to feel different services accessing data across servers.

2, on the API server to do a new interface Api:ifopenidhasa. This feeling is a bit of a waste of resources, slowing down system speed.

3, on the interface of resource A to do the check, request resource A when the request to determine whether the WeChat server with parameter a. This seems fine at the moment, but what if there is a parameter ABCD corresponding to the different resources? And if there is a super-user has all the permissions of the parameters and how to do not know.

Add: There may be some places that are not very clear, add:
API interface is to go encrypted, currently only WeChat server sent past the encrypted traffic can access, is done in this authentication. Now the API server can only connect to the WeChat server, external is not visible. Later also do not intend to do open API, are by WeChat server or later own app, are encrypted. Now you can think of the WeChat server is actually a client (cloud client or Web client, etc.).

However, if you really want to do the app after this, you may not be able to use the method 1.

I canceled the previous answer. I think I and your ideas are not on a channel, so the answer is completely farfetched.
My idea is to ensure security through authorization, but your idea is to ensure security through the encryption of data, I think the performance difference between the two is very obvious, and now you find that relying solely on encryption does not solve all the problems when you worry about the performance of security certification loss ...

