Ie I have a php script available at http accessed third-party website for GET with salt. Further, this script makes an https request (by the way, how is it done? via curl?), generates the response and sends it to the website. But no, the answer is, take it unencrypted. I just need to not caught.
\r
Third-party site is trying to authenticate the user using my. And in response I suppose you want to send the response to the authorized/not authorized. If an attacker is able to impersonate it, that is authorized for a third-party website.