Which authentication method to use?
I have a REST API with protected endpoints, which require an AccessToken for access. For the user to receive the AccessToken, they need to access the login endpoint and with the correct credentials (username/password) the AccessToken will be returned to them, as well as the RefreshToken, via HTTP-Only Cookies. So far so good. In this same REST API, I have other endpoints aimed at issuing reports that should not be viewed by users with logins and passwords, but rather by a website that I built in NextJS. Some website links will have access to these other endpoints. In this case, it would be strange for me to create a login/password for the website. What type of authentication would be suggested in this case between my website/my REST API? PS: My client website already has its own authentication system and these REST API points are administrative and will only be accessed by the website, they will not be accessed by a common client with an app that requires an AccessToken to load its own data... If I Using the REST API authentication system, I will have to create an administrative user for each user who already has a login on my website, force them to log in again by sending the credentials as if they were a regular user. I don't know how to proceed in this case, but from what I've been studying, the ideal solution would be to use the concept of API KEY, which from what I understand would be a key that would only be known by my website (server side) and by the REST API to check each request.
I have a REST API with protected endpoints, which require an AccessToken for access. For the user to receive the AccessToken, they need to access the login endpoint and with the correct credentials (username/password) the AccessToken will be returned to them, as well as the RefreshToken, via HTTP-Only Cookies. So far so good.
In this same REST API, I have other endpoints aimed at issuing reports that should not be viewed by users with logins and passwords, but rather by a website that I built in NextJS. Some website links will have access to these other endpoints. In this case, it would be strange for me to create a login/password for the website. What type of authentication would be suggested in this case between my website/my REST API?
PS: My client website already has its own authentication system and these REST API points are administrative and will only be accessed by the website, they will not be accessed by a common client with an app that requires an AccessToken to load its own data... If I Using the REST API authentication system, I will have to create an administrative user for each user who already has a login on my website, force them to log in again by sending the credentials as if they were a regular user. I don't know how to proceed in this case, but from what I've been studying, the ideal solution would be to use the concept of API KEY, which from what I understand would be a key that would only be known by my website (server side) and by the REST API to check each request.
