Designing a Multi-Client Token-Based Authentication System: Strategies and Best Practices

Overview

In information systems with an account system, identity verification is crucial. With the rise of mobile internet, many client types appear, leading to a one‑server‑multiple‑clients pattern.

Usage Scenarios

Common IT service scenarios include:

User logs in via web browser

User logs in via mobile (Android/iOS)

User logs in via open API

PC authorizes mobile login by scanning QR code

Mobile authorizes PC login by scanning QR code

Token Categories

1. Account‑Password Tokens

Username and password

API application ID/KEY

2. Session ID Tokens

Browser token

Mobile token

API application token

3. Interface Call Tokens

Interface access token

Authorization token

PC‑mobile mutual‑authorization token

Comparison Dimensions

Tokens are compared on natural attributes (usage cost, change cost, environmental risk) and controllable attributes (usage frequency, validity period). The goal is security and impact control.

Final goal: security and impact.

Token Hierarchy

Four layers:

Password layer

Session layer

Invocation layer

Application layer

4.1 Account‑Password

Traditional username/password and app_id/app_key. They have special meaning, are rarely changed, and leakage has far‑reaching consequences.

4.2 Client Session Token

Acts as a session; different clients have different lifecycles. Steps: user logs in with credentials, obtains session token, which can be exchanged for other tokens.

Web token

Short lifespan due to public environment and convenient input.

Mobile token

Longer lifespan because mobile devices are personal, but input is less convenient.

4.3 Access Token

Credential for server‑side API calls. Obtained by exchanging a long‑lived session token. Should have short lifespan to limit impact if intercepted.

4.4 pam_token

QR‑code string generated by an authenticated PC for mobile scanning. Steps: PC authenticates, generates pam_token, creates QR code, mobile scans, obtains refresh token, then access token.

4.5 map_token

Mobile‑initiated QR authentication of a PC. Steps: mobile logs in, PC creates anonymous map_token, mobile scans, DB links map_token to user, generates web_token, PC uses it to get access token.

Conclusion and Outlook

The proposed token‑based authentication system addresses token classification, privacy parameter settings, usage scenarios, and hierarchical conversion of tokens with different lifecycles. It can be applied to login, time‑limited coupons, invitation codes, QR authorizations, OTPs, multi‑platform API access, and unified identity centers.