So, I've read a lot about different REST API authorization and authentication workflows over the past few days and figured I would reach out to see what folks thought. Here's my situation:
Mobile App: The app does not require a user to login, but does make use of data provided by the REST API.
Single Page App: A user logs into the SPA and can see/change data provided using AJAX calls to the REST API. The login is mainly restrict access to the web app and not the REST API.
API Testing via Postman: I'm using Postman to test and debug the API routes / responses
Any thoughts on an effective scheme to ensure only authorized client/apps can access the REST API?
Thanks in advance!
