Hi,
Correct. For REST endpoints (where credentials will be passed for every request), you should use a direct client: it defines the way to get your credentials (from a basic auth, from a single request parameter, from a cookie, from a header...) and the attached authenticator will validate your credentials.
So it depends on the credentials you have and the way to validate them. One security consideration is to avoid sending sensitive parameters in the urls (like password), the performance consideration is to avoid validating the credentials for each request using the LocalCachingAuthenticator as a wrapper for your authenticator.
Common scenarios:
1) I have application credentials, already known by the caller: they are passed via basic auth (DirectBasicAuthClient) or POST as a form (DirectFormClient) and validate against a database (DbAuthenticator), a LDAP (LdapAuthenticator)..., the authenticator being wrapped by a LocalCachingAuthenticator.
2) I have a user who authenticates via a UI and then, I turn his identity into a JWT token I can use to call a REST endpoint (ParameterClient with a JwtAuthenticator).
Thanks.
Best regards,
Jérôme