Hey Armaghan!

Since the authentication is a core part of the API, I think we should really invest in getting it right from the beginning.

I agree that we can go with a token-based authentication. However I suggest to do it user based and short lived (like we do it in our new portal)

What do I mean by that?
https://www.baeldung.com/cs/tokens-vs-sessions#token-based-authentication

Currently we access SQL-Ledger with username and password. It would be awesome if you could provide an endpoint that authenticates the user using those credentials and then provides a token that is valid for x amount of time.

This token can then be used to authenticate against your API (of course checking if the user has access to the used client/db)

The validity of this token gets refreshed (keep alive) on each request and expires after x amount of time of users inactivity.

This will significantly increase the security of the system, by for example greatly limiting the risk of leaked tokens. Security is a major concern for me here because we directly access sensitve customer data.

Let me know what you think.

I wish you a nice weekend!

Best regards,
Severin