A bit of a conceptual question: I am designing a private RESTful API that will be used by iOS and Android apps.
I am using JWT.
I have an api_users table that allows access to the the API itself.
I also have a users table for individual user login using the apps (i.e. an individual's e-mail and password).
So here's where I'm confused:
api_users table and have a single authentication endpoint for users, orapi_users' and the users' credentials for a valid JWT to be returned; orapi_users and another for the regular users).If I take the third route, in keeping with RESTful (stateless) design, would I need a second JWT to keep track of what user is requesting my API?
Thank you all!
You should not have two tables that represent two different types of users (e.g. API users / app users). One table is sufficient. In terms of keeping track of what user is requesting your API your logs should be sufficient unless you need to store and present additional metrics on the front-end or you wish to limit access (throttling / one request per user at a time) and your framework does not manage this. When your users authenticate with your app they will now be issued with a JWT token that can be used to make API calls.