What is the correct way to authenticate to a REST API used by mobile applications?


Actually, there are two questions (with sub-questions).

  • Today I have an already implemented token generation mechanism (inherited from a web application) that I'm using in my REST * API for mobile applications. The applications encourage the user to log in and password saved to avoid constant rewriting, so validating these credentials in order to obtain the initial token is an automatic step in the applications. The tokens have a size close to 2KB. I do not have much experience with authentication and I wanted to know how to properly implement authentication in the API in this case, for example if the token should go in the header Authentication and if my API should respond to an invalid token returning HTTP status 401 - Unauthorized , if the authentication method should be Basic or some other type. Today is brought a JSON with field login being true or false and in case of success the value of the initial token, but I know that this way of doing is inadequate.

  • The second question is a broader version of the first: In the scenario of an API used only by mobile devices that save the user from entering login and password, what form of authentication do you use? Should continue to adopt tokens? Or instead send login / password to every request? Talk about OAuth with Bearer ; Is this the preferred way? Am I mixing concepts?

  • * "REST" in a way that is probably considered "shameless"; I do not know much about what is called a "pure REST" and in addition the API is read-only, so I have no concern for idempotency or change server state consistently.

    asked by anonymous 04.12.2014 / 19:50

    2 answers


    Just like Abraham, I also believe that currently the most commonly used method for mobile application authentication is with pre-registered accounts on the devices (read usage of Social Network accounts or the account set on the device [Google Play]) . I am particularly using the same Android authentication scheme that Google offers, using OAuth2 in conjunction with Google Account and Google Play Services.

    But I know that does not answer your question. However, I believe the following links will certainly get your questions answered: link link

    I hope I could have helped something. Good luck!

    08.04.2015 / 21:31

    Answering the second question, but the first question can be taken as a basis. I believe that the most common authentication methods today is to use a google authentication API, facebook, or some other known API (it depends on your target audience), both for mobile devices and websites.

    11.12.2014 / 16:40