[bb88]

I feel like HTTP is too heavyweight for microservices. For monoliths, it's great. And the only way to proceed in your case is to convert microservices into mini-monoliths. Particularly the authentication side, which needs to be revalidated with every request.

gRPC might be better, but supposedly so was SOAP, CORBA, DCOM, XMLRPC, and finally REST.

[throwaway894345]

How does gRPC make authentication lighter-weight? Presumably you still have a token in either case which needs to be validated? There aren't many places where parsing HTTP requests is really a significant bottleneck, and I'd guess the majority of the remainder are an architectural problem (someone using a "get" endpoint in a tight loop instead of a "list" endpoint or some such).

[bb88]

Technically you could auth the connection using say, a custom SSL cert, and the connection isn't made unless the SSL cert is recognized.

There are other ways to do it as well where the socket connection is only authed once.