Hi all. I’m writing an app which talks to my api backend. The backend also has a portal where users can sign in with a username/password. I want the users to sign in also on the android app, so that the app can make authenticated requests to the server.
What is the best practice for making authenticated api calls, do I save the username/password on the device and send it on every api request?
Do I generate a token based on the username/password which I then save on the device and use that on every request?
How about the token expiration, basically I want the user to only sign in once, unless they uninstall the app, so do I make it a non expiring token? I’m thinking a refresh token & token might be too much. I’m planing to use https for the backend and maybe ssl pinning for the app, so I’m not that worried about someone stealing the token.
How do you do it?