I have designed a simple HTML/CSS and JS/jQuery application, and now it's the moment of authentication integration. On the server side, I have done a REST API which allows clients to get some data. But, now I want to authenticate each request with access and/or session token.

I read many websites to find agreements or advice to establish security between the client (JS) and the REST API (PHP), but unfortunately I found nothing or not interesting. So I ask you to enlighten me (if you want) to know what to do, what to implement, conventions, etc.

What I read:

Designing a Secure REST (Web) API without OAuth

Token Based Authentication for Single Page Apps (SPAs)

I cannot post more links according to my reputation...

Just give me advice, ways how to store private token (RSA) or access/session token for API.

Don't hesitate to give your reaction, and tell me if I'm not exact or something else.

I have designed a simple HTML/CSS and JS/jQuery application, and now it's the moment of authentication integration. On the server side, I have done a REST API which allows clients to get some data. But, now I want to authenticate each request with access and/or session token.

I read many websites to find agreements or advice to establish security between the client (JS) and the REST API (PHP), but unfortunately I found nothing or not interesting. So I ask you to enlighten me (if you want) to know what to do, what to implement, conventions, etc.

What I read:

Designing a Secure REST (Web) API without OAuth

Token Based Authentication for Single Page Apps (SPAs)

I cannot post more links according to my reputation...

Just give me advice, ways how to store private token (RSA) or access/session token for API.

Don't hesitate to give your reaction, and tell me if I'm not exact or something else.

• javascript
• php
• authentication
• token

Share Improve this question Follow edited Aug 12, 2016 at 11:20 Termininja 7,0561212 gold badges5050 silver badges5050 bronze badges asked Aug 12, 2016 at 8:27 Loic P.Loic P. 71166 silver badges1818 bronze badges

Add a ment  | 

3 Answers 3

Sorted by: Reset to default 3

You need to use a token-based authentication for your REST API. JWTs are the best in this particular case.

Why Use JSON Web Tokens?

1. Tokens are stateless. The token is self-contained and contains all the information it needs for authentication. This is great for scalability as it frees your server from having to store session state.

2. JWTs can be generated from anywhere. Token generation is decoupled from token verification allowing you the option to handle the signing of tokens on a separate server or even through a different pany such us Auth0.

3. JWTs have fine-grained access control. Within the token payload you can easily specify user roles and permissions as well as resources that the user can access.

This will be your typical authentication flow process:

1. A user signs up/logs in, during the login process, you generate a JSON web token from the server and return it to the client. Since you are using PHP, you can use this library for the generation and signing of the token.
2. Store the JWT returned to the client on the browser Web Storage(local/session storage). It can also be stored in a cookie.
3. For subsequent HTTP requests from the client to the server, you send the token via headers/query, then the server validates the token. If it's valid, the user is authenticated otherwise the user is rejected.

BTW, if you don't want to implement authentication yourself, you can use Auth0, check out VanillaJS SPA and PHP quickstart

I hope this information helps. Cheers!

Authenticating REST API's with JavaScript front-ends is difficult because the JavaScript code is pletely readable by anyone visiting the site so storing any kind of login credentials is no good.

With a standard Server to Server set-up simply using basic auth over HTTPS is more than enough but basic auth is no good for JavaScript SPA's as the credentials are in plain view.

For SPA's you need to be looking at JSON WebTokens, as your back end is in PHP you need to be looking at PHP-JWT from firebase. You can get the code here: https://github./firebase/php-jwt or remended using poser:

poser require firebase/php-jwt

The package makes implementing JWT super simple see the docs for a plete code example. Also check out the JWT for a plete break down https://jwt.io/

I suppose Jwt (https://jwt.io/) is good solution for your question.

On the client side you can store the token on the localStorage or some global variable (for SPA).

You can transfer token on the HTTP header or as request parameter. It works.

Also you can see https://auth0./blog/angularjs-authentication-with-cookies-vs-token/