Browser Session vs JWT tokens for authentication system for an app?
I'm working on an app idea, it's going to be "API first" in design which means there is a clear separation between the backend and frontend. Former will be accessible through a REST API and the latter can be simple HTML without me having to delve too much on it. The idea is that the end users or clients will write their own front-end interacting with this REST API in future.
Firstly, I want to know where to start. Writing a REST API seems quite easy and simple for me as a backend engineer but I've never implemented a "pure API" app in practice. Do you just validate the headers, do the crunching and return back a JSON response? What all must you take care of here?
Finally, authentication and session handling is something very important here, isn't it? If I make use of session feature in the REST API (like PHP sessions or Django sessions, for eg), authentication will be pretty easier. I don't have to worry about encryption as SSL/TLS would be already doing that for me through the browser. But then what is the downside of this method? Why do so many people use JWT tokens then?
Coming to JWT tokens, is that the only way of encrypting/validating REST APIs, or are there others? My biggest concern here is scaling and performance. I'm willing to implement the most efficient path here, the one that gives the most performance using least resources.
Writing a REST API seems to not be that hard, but the devil is in the details.
curl
.Authorization
header.