Ask HN: How to properly authenticate REST API?

4 points by ylorenzana ↗ HN
I've been researching this for about 4 days now and can't seem to find an industry consensus. What I'm almost sure not to do is: use JWTs, and implement stateless authentication— it's probably not worth it. I've read about using 16+ random bytes as a token, but am not sure of it's implementation. My understanding is: 1. generate the tokens in the server when a user logs in and store them in a tokens table in data store 2. respond to request with token 3. store token in cookie client side 4. include token in header of request as auth bearer for every protected URI

What am I missing here? I don't see that much of a difference from this to using a stateful JWT? Since the token would also be stored client side, wouldn't this have all the insecurities of JWTs?

1 comment

[ 4.6 ms ] story [ 14.9 ms ] thread
Don't over complicatr. Use HTTP basic authentication and be done with it.