With RAD, all communications between client and server are encapsulated within a connection. When a connection closes, all state associated with the connection is reclaimed by the RAD daemon. However, because RESTful interactions that happen over HTTP are stateless, a client must establish a connection and authenticate with each request.
Instead of having to re-authenticate for every request, RAD provides a token authentication mechanism. When a client connects to RAD and successfully authenticates, RAD generates a unique token for the client and then services the request. At the same time, RAD stores the token and details about the client connection. On subsequent requests, if a token is supplied, RAD uses the token to retrieve the previously authenticated connection, associates it with the incoming request, and processes the request.
Because a token is generated when a client connects to RAD for the first time, the token is absent from the request. Tokens have the following characteristics:
Tokens are a 256-bit opaque value constructed from a random number, which provides security and minimizes the likelihood of collisions.
Tokens have a finite, configurable lifetime of up to a maximum of 24 hours. The default lifetime is 1 hour. The lifetime is configured as part of the initial authentication request. The expiry time of the token is reset or extended whenever an authenticated request is received.
If the token received in a request is invalid or has expired, an error is returned and the client must re-authenticate.
If the RAD slave is killed or if RAD is terminated, all tokens and their corresponding sessions are destroyed.