I am trying to create a Rest Api using a token based Authentication.
Is there any best practice in passing credentials from client to server for generating the token. As a HTTP Header or as a JSON String in post body?
I have been searching around but was not able to find any concrete answers.
Don't try to reinvent the wheel. For a good starting point look here: best-practices-for-securing-a-rest-api-web-service
For my API implementation and my needs, I choose a simple BasicAuth (send credentials with the header) and any other tokens, and security related data I added to the JSON payload with each request. Dont forget to set SSL as mandatory.
I would recommend using the Open ID Connect authentication protocol, and more specifically using a third party service or solid library that implements this protocol. Open ID Connect builds on OAuth 2 and is now widely used with support for various development languages and frameworks: http://openid.net/developers/libraries/
A successful authentication step results in an "access token" that can then be passed to your REST API where it is validated for authenticity. In Open ID Connect this token is passed as an HTTP header vs. the POST body.
If you roll your own protocol, or even develop your own Open ID Connect implementation, be aware of the details as it is very easy to overlook something small and thus create an insecure API. See the OAuth 2.0 Threat Model and Security Considerations for examples of what I am referring to. Due to this concern I always recommend use of an existing, well-vetted implementation.
