I’m just wondering what the best-practice approach to authentication when service calls may originate from backend infrastructure e.g. such as a scheduling service or integration middleware piece where a “user” is not readily known.
Is the answer to generate a never expiring jwt and use it in requests ?
A JWT with a long expiry is nice since you don’t need to create a User.
But if you ever need to invalidate access I’d use an API Key and create a “User” entry to represent the server, that way you can disable access by locking the User (set UserAuth.LockedDate) or if an API Key is compromised you can invalidate the API Key by populating its ApiKey.CancelledDate.