Is there a flaw in the API API authentication concept that I missed?

I've recently been thinking about how all the authentication methods used in API communications to APIs (RESTful APIs) are primarily methods that have been designed to be man-oriented (tokens) passwords etc) and how in the API this often means need a secret bank to store passwords tokens.

My idea is that the requestor API will contact the recipient's API with a hashed token and a Webhook callback address, the callback URL actually acting as the user's identity that the recipient's API then contacts ( in a new connection), to which it then gets the unstamped token From, the receiving token then compares the hashed and unhashed versions of the token and if they match, it knows that the requestor of the initial request is actually the API of the Web connection.

A workflow of the authentication process is described in detail in the following diagram:
authentication workflow process

I've also created a POC consisting of the concept docker on my github that works as I thought (please note that although I will gladly receive notes on the POC, this question only concerns concept theory in its together, guarantee).

The question

Is it really secure? Is there a vulnerability of this authentication method that would have allowed an attacker to fool the recipient's API by pretending to be another API?

If there is no way to prove without a doubt (mathematically or otherwise) that it is actually secure?

Suppose the following elements are given:

  • HTTPS is used (to protect against MITM) on all requests
  • The main database is secure
  • Tokens are generated randomly and are not reused
  • The hash function is modern enough to provide good protection
  • The DNS register of both APIs is secure
  • This is an authentication method only, no authorization or encryption.