When you access Drupal pages, your browser passes a cookie that is used to identify the current user. This ensures that Drupal is able to determine whether you are logged in or not and what your roles are, and then determine whether you have the permission to perform certain actions.
Drupal 8 core contains two methods of authenticating a user when making an API request:
- Basic authentication: The username and password of a valid account are passed in the request header. Note that this does not create a session in Drupal. The REST module is able to check permissions for operations, but other modules that expect to have a valid user session will not work as intended. This includes Views, so any Views that check either roles or permissions will fail with a
403 Forbidden
response when using HTTP authentication. - Cookies: The user session cookie is passed with the request in the same way that a normal page request would be. If the application...