Authentication for single-page (and other) apps

If you run a ReST-style web API, It can be a bit tricky to decide which authentication mechanism is right for your scenario. Even more so if you need to support multiple different types of clients. Plain tokens? JWT? Session cookies? OAuth2? What about CORS? Do you neec CSRF protection ...

more ...