Gate-Keeper | Web-based user authentication with facial recognition | Computer Vision library

I found two issues which were causing the problem.

1. SVG had a width of 28em. Kindly remove that. Instead, use % value. Because of em the browser is putting your SVG outside the container box.

2. Your header nav items wrapped in "ul" were displayed as a flex with its direction to row throughout. So as soon as the width of the container is reduced, they overlap. You can use a flex-direction column to sort that for the smaller devices.

I think you're just looking at things from the wrong perspective. The right perspective should clear up your confusion.

The fact that some other API is accessing your API is inconsequential. At the end of the day, your API serves clients, and all you need to know is some client is accessing your API. That could be another API, a user, a console app, a service, whatever. Doesn't matter.

That client needs to be authorized to use your application. The method of authentication to become authorized can vary based on the client but it all achieves the same goal. For example, something like another API will very likely auth via client authentication (an id/key pair). Here, you're authorizing the client, so if that client is acting on behalf of a particular user, they would separately need to authenticate as that user (typically via OAuth). Alternatively, if the other API exclusively works for a particular user, the whole thing can simply be achieved via OAuth (i.e. the client itself does not authenticate, but rather users of that client authenticate via an OAuth workflow presented by the client. In either case, the client ends up with an auth token that they can then send with further requests to authorize the request.

The important part is that auth token. No matter what the method of authentication, an auth token will be given, and that is what is used to authorize requests.

Based on the scenario you've presented here. The most likely course is that AppApi should authenticate with CommonApi via client authentication (it would be assigned a client id and a client secret and would send that to an endpoint on CommonApi to get an access token. It would then authorize all requests to CommonApi with that access token. The user of the website would authenticate with that website and interact with AppApi based on that authentication, but that should have no bearing on anything that happens with CommonApi. The one exception would be if AppApi is impersonating the user for CommonApi. For example, I might have an API that does some stuff on Facebook. If I need to do something like post as a particular user via that API, then the user needs to directly authenticate with Facebook via an OAuth workflow with that API. Afterwards, the API is granted an access token to do things on the user's behalf.