Is anyone using a well-maintained package or have a bullet-proof solution for this? I’d like to provide endpoints for logged-in users but I’m not sure what the most secure way to do it would be.
Thanks in advance for any tips.
I think it is safe enough to create an API key using Random.secret, and store it in the user document. Whenever the endpoint is called, the API key is passed. What’s wrong with that?
For methods and publications, check that this.userId exists (signifies that the user is logged in)
Hey RJ, yes of course. 
I’m asking about HTTP API requests.
The user could send the login token on the header of the request and you can get it on server and query for a user with that token.
Thats almost the same as the methods do.
1 Like