OAuth 2.0. No session? (stateless)

Question

I\'m going to implement OAuth 2.0 and REST API with it

to grant different permissions per users and also to scale well.

To scal

Answer 1

What you are describing here, is the OAuth 2 Implicit Grant flow. OAuth 2 also includes three other flows, but as it seems that your ressource owner (the user) is initiating requests using browser side Javascript (you were talking about cookies), this is the flow you should go for.

On client side, OAuth only requires you to store the access_token for accessing protected ressources (and a refresh_token if you're going for an expiring access_token).