What is the best way to restrict a client to request an item from the sever by its ID unless the client also has a "key" (or something). Is encrypting the response so it can only be used if you have the key a good way? Or should you only send the item from the server to the client, it the client also has the key in the request better? Or maybe an entirely different process? I'm using golang, but should be language independent.
Looks like what you need is an authentication system.I will advise you to use JWT.Once the user is authenticated the client will get a token that you can read in your server with a private key.If the user has a valid token your service will allow the download.