Hey everyone! I'm currently working on an internal API for my company that needs to receive the username of the employee who is logged into another internal web app. The other app has a login page, which adds a level of verification. Right now, we simply send the logged-in user's credentials (username, email) through the API. I trust the other app since it's all internal and I have direct communication with the developers. However, I'm curious—if we didn't have this ongoing communication, how could I verify that the credentials are accurate and that the requests are genuinely coming from an authenticated user? Thanks for the help!
2 Answers
You might want to look into using JWTs or authentication cookies. They're great for making sure that the requests your API receives are validated and come from the right users—especially if you later decide to scale or include more services.
If you're working within a microservices architecture, consider implementing an Auth Service (like Auth0 or Keycloak) to handle user verification. It can generate JWT tokens for all your services, which can then be independently verified. Basically, every API request would include a JWT that the Auth Service checks for validity before allowing access.
Just a heads up—completely replacing your authentication system is likely overkill. You can use JWT or similar methods for proving identity without needing a massive overhaul of your infrastructure.