The optimal architecture of a validation client for the API?

Features:
Closed API, part of the functionality with user authorization, part no.

Goal:
To limit the possibility of queries exceptionally trusted customers.

Options:
  1. To authorize the client via JWT. The point is simple - send a key-a secret, verifiable and in response send a token. The token stored on the server. All requests to the API are tokenized.
    The problem is to store tokens: a pair of key-a secret for the client alone, and tokens will be many. Is it worth it..?
    UPD: didn't know that JWT does not require a storage token that is issued. However, this leaves the question of the authorization of the client
  2. On the client stored a string, encrypt it and sent to the server. Check if everything is fine - that processed the request. Not issued token, as you can tell. Well, as a plus for each customer (however many there are) - one record in the database.
  3. Any more?

Pay attention:
The question is not about authorization of the client by the pair of login and password, namely restricted access to the API from the client (mob. application, desktop, web etc.)
July 12th 19 at 16:34
2 answers
July 12th 19 at 16:36
Solution
For those seeking a solution:
Validation of client is best done via the header
July 12th 19 at 16:38
Good evening, here's a short article, to clearly see 2 common ways:
https://auth0.com/blog/2014/01/07/angularjs-authen...

p.s. 1 option, something tells us that the essence of jwt You missed. It is completely stateless authentication.
but the 2 option is more like a Bicycle. Read the article above and jwt will solve all your problems)
And when the author wants to withdraw an issued jwt, then will start the epic with writing hacks, the essence of which is reduced to the storage of these withdrawn jwt somewhere. On that website that you gave is just there such a short article. And all stateless on this end. - idell_Krajcik commented on July 12th 19 at 16:41
: Yes, this issue is also a concern. To store the souls of the dead...doesn't want to. - alvera45 commented on July 12th 19 at 16:44
: well, you can remove them after expire expired.
I'm a little on the other, in this case, the meaning of jwt is lost because you need somewhere to look to learn about the revoked token or not. Why went (storage of tokens), and came to the (storage of revoked tokens)





















































































































































































































































































































































































































































































































































































































































































. - idell_Krajcik commented on July 12th 19 at 16:47

Find more questions by tags APIRESTful APILaravel