My question is regarding this (very helpful!) document, specifically about the "Login" section: https://fusionauth.io/articles/logins/mobile/native-login-form-to-fusionauth-jwts-refresh-tokens
In the general text it says: "This login form POSTs the user’s credentials (email and password) to the backend of the application. The application backend then in turn calls to FusionAuth."
Yet, the sequence diagram shows that the mobile client (the "application", not the "application backend") is calling FusionAuth's /api/login. Also in step 2 of the explanations it says "The application POSTs the form data directly to FusionAuth".
What is recommended, who is calling FusionAuth's /api/login: the mobile application or that application's backend?
Just want to make sure I'm not mixing up things, thanks.
Sorry for the confusion. This is indeed a bug in our docs. It will be updated shortly.
The recommended way is to call FusionAuth directly if possible. You can also call through your backend to FusionAuth, but this is an extra network hop that isn't necessary in many cases. If your FusionAuth instance is publicly accessible, just have the mobile app call the /api/login API directly.