Disclaimer: I am not an auth expert, but I know someone who is. All errors and ramblings below are mine, not theirs.
First, some considerations:
- Is your API a public data service or just the "backend piece" of your own web or mobile app?
- Are you employing a third-party (e.g., "login with Facebook") or are you managing credentials yourself?
- Basic auth or token auth?
- Stateless (token fully contains verification info) or stateful (must consult data store every time to verify) tokens?
- Long-lived tokens or short-lived tokens?