I'm implementing a REST api with Play... and I know a REST api should be stateless. Well, my api is an hybrid, in the sense that when an user authenticates, I send back a token to be used to sign any subsequent request. This token expires after an amount of time the user no longer sends requests to the server – on the server side, I use a MongoDB collection to handle active tokens.
Now my question is: how should I deal with this token? Should the request contain the token in the body? Or should I provide the token in the request headers?
Considering I'm using Play, is it still correct to use RequestHeader.cookies
to send the token even if I don't really use cookies?
Any suggestion on how to implement a decent authentication mechanism for my REST api would be really appreciated.