I am just learning django and drf. I created a django app which authenticates user and i used default django views for it. (I made my own signup view as i needed to add user image). Now ive been asked to add apis to the same project using DRF. Should i use session authentication for it as the project is using it or implement the apis using token authentication?
I'm quite lost on what to do.
DRF makes it relatively straightforward to implement both session and token authentication, and since you can define different authentication classes for different views or endpoints, its up to you to chose.
Would be best to apply Session Authentication for Web Views, and Token Authentication to make your APIs more suitable for various types of clients.
Security wise, both of them are Good if implemented correctly, While Token authentication is more secure generaly because a token cannot be tampered with, Sessions can be managed server-side which make it vulnerable to CSRF attacks but that's not really an issue with proper protection, since Django has built-in CSRF protection.