After a successful login, the user returned will contain an authorization token. That token must be present in the header of all API requests, except the few that allow anonymous access. If the token isn't present, return 401. If the header exists, but a corresponding user can't be found, return 401. Once the header token identifies a system user, the user type or system user roles can be applied to determine authorization of the request.
After a successful login, the user returned will contain an authorization token. That token must be present in the header of all API requests, except the few that allow anonymous access. If the token isn't present, return 401. If the header exists, but a corresponding user can't be found, return 401. Once the header token identifies a system user, the user type or system user roles can be applied to determine authorization of the request.