I had read the authentication document you mentioned, from it I was 90% sure I needed to use the SSO Token / session key auth method, but wanted to rule out the cookie authentication option. Also, in my situation creating the SSO Token meant requesting a new service to be exposed by our SSO system, coded by a different department than mine. I'm confident now that cookie auth is not an option for my use case. I've started working with our other developers to design a secure service to get Lithium SSO Tokens for authenticated users. Since they are already generating tokens for the standard SSO login authentication cookie, it shouldn't be a large undertaking.
I've started building a javascript library to authenticate and communicate with the rest api, and things are looking like they should go well.
Thanks for mentioning the login metric thing. I will keep that in mind, keeping careful not to authenticate / re-authenticate unless needed to cut down on that.
Thanks again for your advice!
