Questions about API

1

To make certain requests to the API, you must be logged in to the site. However, I had no idea how to do this, because I knew API does not have sessions. So I did a search and found the access tokens (API Tokens) and implemented it in my application. Basically, at the end of the login was generated a token that was saved in the db, and later when a request was made to the API, it was compared what was sent in the parameters and what was in the database for verification. A friend warned me that it was gambiarra and also realized that some companies do not use this method.

What would be the most correct method to solve this problem? Would using JWT be a good one?

    
asked by anonymous 13.04.2017 / 05:18

1 answer

0

Yes, JWT is an approach that is on the rise. The point is that JWT is an Open specification encoding / decoding of JSON tokens. By itself it does not define how you will use it.

The legality of JWT is that you do not need a database and with that for an authentication model only using encryption you can validate the access thus leaving your stateless API.

Another widely used approach is the OAuth protocol, as there are many providers and many applications that use authentication using third-party resource providers such as Facebook, LinkedIn, and Google.

For more information:

OAuth Facebook JWT

    
13.04.2017 / 21:20