For API authentication, prefer devise_token_auth — a simple, popular, secure-by-default opaque-token solution that coexists with Devise view-based auth. Avoid custom cryptography (JWTs) when an opaque token is enough. As of 10 September it uses the standard Authorization header, freeing front ends from custom header handling.