How are REST urls protected?
For example I have a GET URL like
From the server's point of view there is no difference between answering a restful service request and answering a page request.
Thus you can use exactly the same mechanisms.
This is valid whatever way the rest service is requested : from an application, from Angular, etc
The most common is to use a login with password authentication, which provides a cookie to user, which is sent together with the request when that request is later issed.
In order to do that you can have a restful API endpoint such as 'login' which will be called by specifying username and password.
It could look like this :
Your server would then check whether username and password are correct, and if so simply answer an almost empty message, but with the following header included:
Later on, your users can query your restful service normally, the cookie will be automatically added to their requests. Your server will be able to check if the session id is valid, and if not deny the resource.