This is probably the question we’ve been asked the most at Penpot. We have a vague explanation in our FAQ page, so with this article I’ll try to explain a bit the motivations and spirit behind each decision. The rationale is multi-faceted.
When we talk about authentication for api rest, almost everyone tends to think about oauth1 or oauth2 and their variants defined by service providers. It’s true that there also other auth systems such as token, openid, etc, but they are not as widely used in comparison with oauth.
What do you think about them? Are they all truly stateless?