Lots of technologists are moving towards separating the front-end and back-end of their web assets. The front-end of a site becomes a stand-alone application that consumes endpoints (http accessible URLs) for business purposes. The back-end becomes an API, or a group of endpoints. There are lots of reasons for doing this; one is that it makes it easy to add another client (not a client in the business sense, but in the web sense, like Android, IOS, web app, Facebook app, etc.) in the future because all resources are just endpoints that can be accessed from any internet connection.
Separating the front-end and the back-end of SpaceNav was one of my first recommendations and it is fun to finally move towards it.
The big problem with allowing anyone online to access a resource is that you want to make sure it can only be accessed by authorized parties. A common and trusted way to authenticate an API is Oauth 2.0. There are easier ways, but Oauth sets a good foundation for future growth no matter what new client you want to add.
Oauth isn’t complicated to understand, but it is a little more complicated to implement.
After I got a firm understanding of Oauth and its different grant types, I found a helpful package and wired it all up. It took surprisingly little effort to get it working. Most of the time was spent figuring out the best way to integrate it with our current authorization.