Actually, there are two questions (with sub-questions).
Today I have an already implemented token generation mechanism (inherited from a web application) that I'm using in my REST * API for mobile applications. The applications encourage the user to log in and password saved to avoid constant rewriting, so validating these credentials in order to obtain the initial token is an automatic step in the applications. The tokens have a size close to 2KB. I do not have much experience with authentication and I wanted to know how to properly implement authentication in the API in this case, for example if the token should go in the header Authentication and if my API should respond to an invalid token returning HTTP status 401 - Unauthorized , if the authentication method should be Basic or some other type. Today is brought a JSON with field login being true or false and in case of success the value of the initial token, but I know that this way of doing is inadequate.
The second question is a broader version of the first: In the scenario of an API used only by mobile devices that save the user from entering login and password, what form of authentication do you use? Should continue to adopt tokens? Or instead send login / password to every request? Talk about OAuth with Bearer ; Is this the preferred way? Am I mixing concepts?
* "REST" in a way that is probably considered "shameless"; I do not know much about what is called a "pure REST" and in addition the API is read-only, so I have no concern for idempotency or change server state consistently.