Best Practice for Backend Authentication

I’m just wondering what the best-practice approach to authentication when service calls may originate from backend infrastructure e.g. such as a scheduling service or integration middleware piece where a “user” is not readily known.

Is the answer to generate a never expiring jwt and use it in requests ?

I’d use either an API Key or JWT.

A JWT with a long expiry is nice since you don’t need to create a User.

But if you ever need to invalidate access I’d use an API Key and create a “User” entry to represent the server, that way you can disable access by locking the User (set UserAuth.LockedDate) or if an API Key is compromised you can invalidate the API Key by populating its ApiKey.CancelledDate.

If you’re going to use an API Key I’d recommend enabling SessionCache which speeds up access, e.g:

new ApiKeyAuthProvider(AppSettings) {
    SessionCacheDuration = TimeSpan.FromMinutes(10),
1 Like

Hi Mythz, thanks once again for the advice. I have decided to use long term jwt and manage expiry. Thanks for your input.

1 Like