I’m working on a web application that needs to support multiple client types like mobile apps and web browsers. The backend exposes REST endpoints for different operations.
My main confusion is about maintaining user sessions across API calls. Let’s say someone logs into my app successfully. Later, when they try to make a POST request to create a new post or comment, how does my server verify that this person is still authenticated?
I understand the basic login flow, but I’m stuck on the part where subsequent API requests need to prove the user’s identity. What’s the standard approach for handling this authentication state in REST services?
you could also go with session cookies plus api keys. user logs in, server creates a unique session id, stores it in the db, and sends it back as an httponly cookie. then every api call just checks that session id against your db. more server work than jwt, but you can kill sessions instantly if something goes wrong. really depends what you need.
OAuth 2.0 with access tokens is another solid option, especially if you’re dealing with multiple clients. You authenticate once, get an access token from the auth server, then stick that token in the Authorization header for all your requests. The resource server validates tokens either through introspection calls or locally if you’re using JWTs. This scales way better than session-based auth when you’ve got multiple services in the mix. I used this setup last year for a project with both mobile and web clients - separating authentication from authorization made everything much cleaner. Token expiration keeps things secure while refresh tokens keep the user experience smooth.
JWT tokens are the way to go for stateless auth. Server creates a JWT with user info after login, sends it back to the client. Client sticks it in the Authorization header (Bearer scheme) for every request after that. Server just validates the token - no session storage needed. Works great across mobile and web since it’s just HTTP headers. Don’t forget to set expiration times and maybe add refresh tokens for better security. I’ve used this setup for two years now and it handles everything smoothly without the headache of managing sessions server-side.