How do you guys handle authentication in native mobile apps?

[forgot]

On the web, it's accepted that a session may expire and the user will have to log in again. With native mobile apps, the expectation (for the most part) is to log in once and stay logged in unless the user explicitly logs out, or the token is blacklisted.

I'm curious how you guys (Feathers users in general) handle these scenarios? How are you handling authenticated service calls outside of, or with, JWT? Do you use a modified version of the standard authentication? I realize you can set a token to never expire, but that feels like a significant security issue.

tl;dr
How do you guys handle auth on native apps that expect you to sign in once, with or without JWT?

[suleimanas]

Me, I extends the AuthStrategy and add any kind of key to the user's object on login.
then extends JWTStrategy to check for that key and unauth the user if it's not there or changed.
without the need to blacklist anything

[forgot]

Interesting. So a custom key is returned to the native app within the user object after the user authenticates, and is stored locally to use in future calls to the server that require authentication, correct?

Is this key created on a per app or per user basis?

This almost seems like a slightly different version of the API Key Authentication recipe in the cookbook, which is what I've gone with for now. What do you think the advantages are of your method versus the API Key method?

[suleimanas]

I mean on login generate a custom key and add it to the user's data and the jwt,
then checking on jwt authentication is that key still the same or not. without the need to do anything on the client side.