ExpressJS API Token Authentication
1) yes you can go that way
2) you can do that way but today I guess everyone is going with JWT (jwt.io) which basically are tokens with data in it, so basically you can authenticate with those, without even querying the DB. In the token, you could even have permissions scopes and check them every time you need an authenticated action. Example: https://github.com/DevAlien/Axolot/blob/master/lib/helper.js
3) If you use a token authentication I would not use Sessions. You don't need state.
4) I guess not
look at here: https://www.npmjs.com/package/tokens2 Tokens2 is a token based authentication module that works based on two tokens: 1- json web token (jwt) ensures the used is logged in is a valid user 2- access token which makes sure the user is not invalidatedThis protocol works based on a short time to live jwt token. The access token is persisted in a database which never expires unless we invalidate the user. JWT suffers from token invalidation and has serious issues for mobile users.