[tboyd47]

Authentication is such a mess, I don't even know where to begin. Most APIs rely on some sort of token-based auth, communicated via the header format: "Authorization: Bearer abc123", as opposed to placing it in the Cookie, as most web sites will do. Many solutions exist, like OAuth2, JWT, etc. but that's ultimately what it all boils down to.

[jmulho]

Is there any reason to favor bearer tokens over cookies?

[tboyd47]

If you use a cookie for an API, it will look like you don't know what you are doing. Also, there are extra rules around Cookies (expiration, length, etc.) that may bite you if you use them outside a browser context.

[jmulho]

Ah, so there are other contexts (e.g. native mobile apps) that may be sharing the API, not just browser (web) apps. I think I get it. Thanks.