For API service, JWT(Json Web Token) is needed. Found several solutions on github, which one can be used for production?
Also found some frameworks generate a random string, save it in database associated to user account, clear previous ones. When client send a token in, look up in database, if found, let the associated user log in. This doesn't need computation, seems to be good?