Magento supports three different types of authentication methods:

• Session-based authentication: Best suited for JavaScript widget applications running as part of the Magento storefront itself. Magento uses the logged-in state of an admin user or customer to verify their identity and authorize access to the requested resource.
• Token-based authentication: Best suited for mobile or other types of applications that wish to avoid the complexities of full-blown OAuth-based authentication. To obtain the token (with REST), one initially uses the POST /V1/integration/customer/token or the POST /V1/integration/admin/token. A successful response returns a random 32-character-long string, for example, 8pcvbwrp97l5m1pvcdnis6e3930n4rsj. This is our token, used for any subsequent API calls, via a header given as Authorization: Bearer <token>. The simplicity behind this authentication makes it an appealing choice for developers.
• OAuth-based authentication: Best suited for third-party applications that integrate with Magento on behalf of the user, without revealing or storing any user IDs or passwords. The starting point for setting up OAuth-based authentication is for a Magento admin user to create integration, under the System | Extensions | Integration | Add New Integration screen. Here we can provide options such as Callback URL and Identity link URL, which define the external application endpoint that receives the OAuth credentials. If given, the values of these links point to the external app that stands as the OAuth client. Successfully saved integration generates the key OAuth artefacts, such as Consumer Key, Consumer Secret, Access Token, and Access Token Secret.

Using OAuth-based authentication exceeds the scope of this book, which is why moving forward, all of our examples will use simpler token-based authentication.