Why use `api-token` instead of `session` token for API routes

What’s the point in adding the api-token context to phx.gen.auth controllers if a session token already exists?

Based on this guide: API Authentication — Phoenix v1.7.11. Is this only useful if your Phoenix application is used for both a public endpoint and as your primary web interface? Shouldn’t the session token be enough when sending requests to your FE?

The only thing different is the label put on those tokens stored on the db and for that it’s best to be explicit what those tokens are given out for. You shouldn’t be mixing tokens between the usecases.

But if my primary use case is to use my Phoenix server as a public endpoint (no views other than JSON), then couldn’t I just rely on the default session? and not complicate it with an additional token?

If you don’t have an html interface where people log in then imo remove the apis around session tokens. An API doesn’t use sessions.

1 Like

Got it, that’s what I was wondering. Thanks!