@User - Make sure the access token is generated with enough entropy and is long enough (>= 32 chars should be enough). You can use something equivalent to SecureRandom in Java (https://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html) - You can store the associated userId and lifetime in your db against the token. Do not send these to the frontend. - From a performance point of view, you can cache this info and query the cache on each API call that uses the access token. - Send this token as an Authentication bearer token in API requests (see https://swagger.io/docs/specification/authentication/bearer-authentication/). - Make sure to check if the lifetime of the token has expired each time you authenticate the token from the db. - Set up a cronjob to remove expired tokens.