Closed API, part of the functionality with user authorization, part no. Goal:
To limit the possibility of queries exceptionally trusted customers. Options:
- To authorize the client via JWT. The point is simple - send a key-a secret, verifiable and in response send a token. The token stored on the server. All requests to the API are tokenized.
The problem is to store tokens: a pair of key-a secret for the client alone, and tokens will be many. Is it worth it..?
UPD: didn't know that JWT does not require a storage token that is issued. However, this leaves the question of the authorization of the client
- On the client stored a string, encrypt it and sent to the server. Check if everything is fine - that processed the request. Not issued token, as you can tell. Well, as a plus for each customer (however many there are) - one record in the database.
- Any more?
The question is not about authorization of the client by the pair of login and password, namely restricted access to the API from the client (mob. application, desktop, web etc.)