Hacker News new | comments | show | ask | jobs | submit login

So let's say I have an iOS or Android app that needs to talk to my REST API. I have my user login in the app, which does Basic Auth over HTTPS.

Once they're authenticated, I generate a token and send it to them. They store it, and use that token from here on out (HTTPS only).

Perhaps I expire it after some time (hours or days, if I don't want my user to have to login all the time).

That's it? :D Seems like I'm missing something...

That sounds good. Think about how, e.g., Gmail lets you persist sessions on each device. They're doing a password auth over HTTPS and leaving a cookie with some session token.

That sounds very close to OAuth 2.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact