REST API - API first approach
Hey Armaghan!
Since the authentication is a core part of the API, I think we should really invest in getting it right from the beginning.
I agree that we can go with a token-based authentication. However I suggest to do it user based and short lived (like we do it in our new portal)
What do I mean by that?
https://www.baeldung.com/cs/tokens-vs-sessions#token-based-authentication
Currently we access SQL-Ledger with username and password. It would be awesome if you could provide an endpoint that authenticates the user using those credentials and then provides a token that is valid for x amount of time.
This token can then be used to authenticate against your API (of course checking if the user has access to the used client/db)
The validity of this token gets refreshed (keep alive) on each request and expires after x amount of time of users inactivity.
This will significantly increase the security of the system, by for example greatly limiting the risk of leaked tokens. Security is a major concern for me here because we directly access sensitve customer data.
Let me know what you think.
I wish you a nice weekend!
Best regards,
Severin