@User
- Make sure the access token is generated with enough entropy and is long enough (>= 32 chars should be enough). You can use something equivalent to SecureRandom in Java (
https://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html)
- You can store the associated userId and lifetime in your db against the token. Do not send these to the frontend.
- From a performance point of view, you can cache this info and query the cache on each API call that uses the access token.
- Send this token as an Authentication bearer token in API requests (see
https://swagger.io/docs/specification/authentication/bearer-authentication/).
- Make sure to check if the lifetime of the token has expired each time you authenticate the token from the db.
- Set up a cronjob to remove expired tokens.