Introduction

Token auth is a simple approach to authentication, which is most suitable for mobile apps and embedded systems.

Each user / client has a token generated for them. The token is just a random string - no information is embedded within it, as is the case with JWT.

When a client makes a request, the token needs to be added as a header. The user object associated with this token is then retrieved from a TokenAuthProvider. By default, this is a Piccolo table, but you can implement your own token provider if you so choose.

The token doesn’t expire. It’s suitable for mobile apps and other systems where tokens can be securely stored on the device. The client logic is simple to implement, as you don’t have to worry about refreshing your token.

It’s not recommended to use this type of authentication with web apps, because you can’t securely store the token using JavaScript, which makes it susceptible to exposure using a XSS attack.

---

Header format

The client has to make a request which includes the Authorization HTTP header, with a value of Bearer SOMETOKEN.