I am aware that there are primarily two approaches for authentication – sessions and tokens. And for sessions for I guess the session id is normally stored in the cookie that gets sent along with each subsequent request. And for tokens e.g. JWT it is normally a string added to the authorization header prefixed by bearer in HTTP header.
My first question: for the APIs that the front end uses to perform CRUD on protected resources on behalf of the logged in user, should userId be part of the API signature. In other words, do the frontend develoeprs need to pass the userId when they make those API calls? For example, I have an api endpoint for updating a resource
UpdateTask(userId?: string, taskId: string, updatedTaskConfig: TaskConfig): Task - POST /v1/tasks/:id
Should we omit userId since the session ID or the token (depends on which authentication approach we choose) is going to be enough for the backend to identify by which user this request is sent? Or we still need to include it?
Another related question is, I am aware that both JWTs and session IDs can be sent via multiple avenues (cookies, headers, request bodies, URLs, etc). Does that affect the API on the inclusion of the userId?
My second question is, for any CRUD operation, do the API calls need to include a timestamp generated on the frontend? Or it should be generated on the backend since the api calls can fail because of a number of reasons so that it makes more sense to let the backend generated the timestamp?