0

I need to create "tokens" for users to send when they make calls to my API. My question is, what should I do to go about generating these tokens?

I should mention that I'm currently using modules such as everyauth and passport for authentication middleware, incase they include anything to help with this.

laggingreflex
  • 32,948
  • 35
  • 141
  • 196
  • Questions to help define the problem... What's the intended lifecycle of these tokens? Are they per session, or timed, or persistent? Can users give them to third parties to make calls on their behalf (and hence require expiry on demand)? At what point does the cost of breaking your security become greater than the value they could extract from the API? Does the token need to be a verifiable hash of another identifier, or can it just be a random string? – Richard Marr Feb 13 '13 at 23:15
  • Good questions. Every project is going to be different, but this is exactly the kind of thing I also need advice on. They would be per session and they would not be given to third parties – they would be used internally. The token can be whatever – as long as it is secure enough to be verified. –  Feb 13 '13 at 23:19

1 Answers1

0

The typical way to issue tokens is using OAuth 2.0. OAuth2orize is a sibling project of Passport that provides a toolkit for implementing OAuth 2.0 authorization servers.

Although, based on your comment "They would be per session and they would not be given to third parties", I'm not sure what your use case is. How do you define a "session" outside of a browser context. And if this is in-browser, your best off using the built-in session support provided by Express.

Jared Hanson
  • 15,940
  • 5
  • 48
  • 45