Open Fayeredd opened 7 years ago
Look into JWT
API doesn't need a login feature
Thanks Taylor :p
I think a good direction is to require every request to have a JWT.
More specifically it'll be a JWS that is signed by a secret that our API knows (but not the client who sends the request).
Once we have that, we can talk about standardizing the payload of the JWT. What claims do we want, how does that change which endpoints are allowed, etc.
Utilizing Spring security and a separate database for storing users, implement a secure access feature