Recently a friend commented on how Django might do more to support SPA
applications, notably by having built-in support for authentication using JWTs.
This is not a new question, and recently I've been discussing with someone on
IRC about JWT support in Django that was not tied to
Django REST Framework.
I have frequently helped people on IRC having issues supporting token based
auth in their APIs. But all too often they can't explain why they're using
token auth or what problems it solve for them, just that they read somewhere it
was needed. (Or worse, their manager demanded it without justification.)
I keep hearing people saying they use Token auth because they think Django's
default session-based auth won't work with their Vue/React/whatever Single Page
Application (SPA).
This has always baffled me, beyond assuming people are
cargo culting something.
Also I've recently had interactions with someone I deeply respect, who also
seemed to feel Django's docs on handling authentication with a SPA were
lacking.
After writing my recent rant about token authentication, I realised there was
more to say on the subject.
Not all tokens are created equal, so I feel it's important for people to
understand the differences.
Here's a quick summary of some of the common token types, and their relative
strengths and weaknesses.
Kitty Litter