Authentication

A mechanism for verifying a user's identity, confirming that the client is exactly who they claim to be. Used to establish trust between the client and the server before granting access to protected resources.

Authentication answers the question "Who are you?". After successful verification, the server can issue a token, a session, or otherwise confirm the user's identity.

Types of Authentication

1. Basic Authentication

• Sending an Authorization: Basic <base64(username:password)> header.
• Simple implementation, but insecure without HTTPS — the password is easy to decode.
• Usually used only for internal or temporary APIs.

2. Session-based Authentication

• After login, the server creates a session and stores it in memory or a database.
• The client receives a cookie with a session ID, which is sent with every request.
• Disadvantage: the server stores state → scaling requires sharing sessions.
• Advantage: possibility of forced logout (by deleting the session on the server).

3. Token-based Authentication

• The server issues a token (usually JWT), which the client stores and sends in the header: Authorization: Bearer <token>.
• The server does not store state — the token is self-contained.
• Suitable for SPA and microservices, but requires monitoring expiration and revocation of tokens.

4. OAuth 2.0 and Bearer Tokens

• OAuth 2.0 — a framework for delegated authentication, where a proxy server issues a Bearer Token.
• The token confirms the client's right to access the API.
• Used with external providers (Google, GitHub, Facebook).

5. Multi-factor Authentication (MFA)

• Adds a second level of verification (SMS code, TOTP, biometrics).
• Increases security even if the password is compromised.

Authentication Lifecycle

1. The user enters login and password.
2. The server verifies data and generates a session or token.
3. The client stores the identifier and sends it with every request.
4. The server validates and updates as necessary (refresh flow).