What is the easiest way to implement a "passthrough" to let a device bypass the header requirement of an API which we both own?
For starters, I don't have any prior knowledge of implementing security/authentication on backends and frontends because of various reasons. So please forgive my ignorance.
So I implemented JWT token authentication on my Golang API where logging in an account gives a token that is needed for the header of any succeeding API calls. Now, we'll have a device that needs to pass some data to the server through the API and I wanted to know if there's a way for that device to bypass the login part, because it would be autonomous, and still be secure in some way. Another problem I have is that the guy who'll mainly write the Arduino code is not that versed in programming, the guy is even afraid of looking at a not pretty printed json, so I'd like the solution to be as simple as possible for his side.
I asked our "smart friend" for suggestions, because I absolutely have no idea what is a good way to do what I wanted, and it suggested something the backend and the Arduino exchanging certificates, which honestly scared me, but I think is quite complex. Then I thought of making the Arduino pass a custom header that would grant it a power to bypass the token checking. And I told the "friend" about that and it seems to be usable, but I need to go https first(which is a question for another day). Is it advisable?
UPDATE: Basically, the device would just post stuff, nothing else. Because it's meant to collect data and pass those data to the server. It doesn't get data from the server. And the server, device, app would only be using a local network, no cloud server involved at the moment and on production as well.
