Authentication for my API on separate domain
I am trying to create an API that I can leverage for multiple client applications (web, mobile, etc..) I am hosting the API on Heroku, so the API address will be something like foo.herokuapp.com.
I want to serve all requests through this, but I also want to have a separate web client to interact with it, say, bar.herokuapp.com
Right now, I have authentication over HTTPS using cookies working well on the API's domain, but how do I authenticate requests from the web client (bar.herokuapp.com) to the API (foo.herokuapp.com) since it is on a separate domain?
If you use cookie based authentication in foo.herokuapp.com you can change the scope of the cookie to be .herokuapp.com this way CORS requests with withCredentials from bar.herokuapp.com will send the cookie.
One problem I see though, is that herokuapp.com is not YOURS. Someone else could create an application in heroku, redirect your users there and stole the cookie. Then they will be able to call your api with the stolen cookie. So, I will strongly recommend you to buy a domain, otherwise do not use this approach.
Another approach that works very well for this case is to use JSON Web Tokens check Cookies vs Tokens.