Stateless Session

Before we go any further, it must be clarified that an API does not handle stateful sessions.

An API should be stateless, which means it provides a response after your request and then requires no further attention. This means no previous or future state is needed for the system to work.

These steps define the flow for authenticating the user through an API:

1. The client requests a sessions resource with the corresponding credentials (usually email and password).
2. The server returns the user resource along with its corresponding authentication token.
3. The client has to send that authentication token for every page that requires authentication.