I’m trying to develop a simple web service using Recess, which is a web framework aimed at being simple to use and being inherently RESTful. I’ve found it to be very easy to use the CRUD functionality in Recess. I’ve created a model with its backend in a MySQL database, and found that a REST API was already available for use.

That’s great, but the problem is that I have no user authentication, which pretty much renders the really nice functionality I described above completely useless. In a real world application, authentication would be needed for accessing user-specific resources. For example, let’s say I’m developing a simple “to-do” application (which I’m not, by the way). The user has no interest in what other people put in their to-do lists, so the service needs to identify who the user is, so as to provide the correct data. Also, the user should not be allowed to read, delete or update other peoples’ resources.

This is done normally with a login system. But for a REST API, how is the user authenticated? Does the client need to provide the user’s credentials (like a username and password) every time a request is made? How can that be avoided? Normally, one can use cookies, but this is probably not good practice, since not all clients are necessarily web browsers. But if we are to emulate the functionality of cookies, how do we transmit the “cookies'” contents (normally, this is done in the HTTP header)? And finally, how can I integrate a solution to these problems in Recess’s built-in REST functionality?

As you can see, I’m fairly new to developing REST APIs, so any suggestions and pointers would be welcome.