The Elements of APIs

Appendix: Authentication

If you can get away with it, just give your client an access token and expect it to be returned as a Bearer token in the Authorization header of every request. If you have very few users—like if you’re building an API server for your colleagues to use on your first-party frontend—just find a reasonably straightforward way to generate tokens on the command line or in your database, and then hand them over. Don’t build an automated means of generating new access tokens unless your API needs to be accessed by many people who don’t already have a relationship with you and a means of communicating with you directly.

If you are in the second camp, like if you’re building a public API and/or your API needs to make authenticated calls on behalf of a user, again: keep it simple and boring. It’s probably a good idea to use JWT, and your language/framework of choice probably has a popular library for generating them already. So just use that!