I provide a set of public web APIs for third party apps (clients) to use. I want to track how these clients use my APIs, so I need to generate tokens for these clients. As the same time, I need to authenticate real users, and different users can see different representations of the same resources. I know OAuth2 can solve my problem, but it is complicated. I prefer using HTTPs + basic authentication for both the user and the application, so I will use different properties in the HTTP header for client and real user. Is it appropriate way?

Generally speaking, Basic Authentication does not do the job because it requires credentials (username/password) for all the requests and this is not what you want.

Firstly let's analyze your requirements:

• You want an end user be able to access your service
• You want an authorized 3rd party App be able to access other end users data (with the users' approve)
• You DON'T want the 3rd party App get other end users credentials

So we could summarize the ideal workflow as:

1. End user launches the 3rd party App and say "I want to give you access to the service"
2. The 3rd party App turns to your service API and say "I want access this user's data"
3. Your service shows up an access-grant page and say "Do you want to grant this app to access your below listed data?" (Important: this access-grant service is provided by you rather than the 3rd party App)
4. End user agrees that and input the username/password (end user need to identify this access-grant page is from you!) and grant
5. Your access-grant page generates a token and the 3rd party uses the token to access your data by:
6. The 3rd party App sends a request to your service and say "This is the authorization token for the end user and please give me the data"
7. Your service verified both the 3rd party and the end user's token and respond.
8. The 3rd party App could do more requests as long as the token is not expired.

Based on above workflow, end user have only input 1 time username/password, so Basic Authentication does not fulfill your requirement.

Actually, your requirement is Token Based Authentication (for sure you need token expiration mechanism): The 3rd party only gets end users' authorization token rather than credentials.

To do this, without OAuth, you need implement token generation, validation and expiration mechanism.

And for sure you could put those tokens either in HTTP header or URL which depends on your preference or design philosophy.

Hope this help!