Can I skip using access tokens for our API?

I’m using Universal Login on a single page web app (create React app) with a backend server shared with our API and got the authentication portion working via this Quickstart guide which uses Express-session and Passport to manage the sessions.

After the user has been authenticated, we store the session blob into a database, which allows us to revoke these sessions if we have to. We are also checking that the session exists on each API request and checking a CSRF token. Therefore, each API request needs a valid session to have access to our API. We also don’t use roles based access control.

Given all these, is it correct to assume that we don’t have to use access tokens? I don’t see it providing any more security or functionality.

My primarily concern was how strongly worded this article title was: “Why You Should Always Use Access Tokens to Secure APIs”. So I wanted to get a sanity check that I wasn’t missing anything.

Thank you for your time.

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?