Lots of things need to be improved, but this is a working example of a validation done by a third-party. The exact protocol needs to be written somewhere (I'll probably write documentation next week), but right now we have this:

• assume we have a regular sponsor registered in the gas station, who deposited credits and registered a contract KT1;
• examples/main registers to the gas station API at startup with something like

GAS_STATION_URL=http://localhost:8000 uvicorn examples.main:app --port 8005

and associates its own URL and public key with the sponsor (and thus, with the contract KT1)

• when we send an operation to the gas station, it looks if it needs to get the validation from another API;
• the operation is sent to the 2nd API, which accepts it up to two times per user;
• When the 2nd API accepts the operation, it returns a signed receipt to the gas station which checks the signature and tells the gas station what to do: post the operation itself with the deposited credits, return the receipt to the user (if the 2nd API posts the operation itself directly) or return an error.

I used JWT and RSA encryption for the signature of the token. Comments? Suggestions?