Does anyone know of the standard way of authenticating an API caller? From what I've seen, a user will generate a key and secret and that essentially becomes the username and password, but is sent with every request rather than only once to receive an access and refresh token. I'm looking for a process to create user sessions and API access sessions (for non-human users). This is in an offline environment, so OAuth is a no go. If anyone has suggestions on what this process could look like I'd appreciate any insight

Are you after something specific in ktor, or just a general methodology? It sounds like you might be looking for something like JWT

An example in Ktor would be welcome, but a general methodology is more what I'm looking for. I have looked extensively into JWTs and have seen arguments for and against using them for user authentication. From what I've found in my research, however, there seems to be no real standard for how to do high security authentication; OAuth being the only exception and not an option. Using OAuth methodology doesn't seem like a terrible idea, but it doesn't use JWTs (instead random generated strings?) and detailed documentation on that seems scares as well.

In fact you can use a JWT as an OAuth token (https://oauth.net/2/bearer-tokens/)

Interesting! Do you know of a basic structure for how one would accomplish replicating the OAuth process in a local environment?

OAuth is a broad topic and I think it’s likely it will have a variant that matches your setup. What I would try to do is read through the OAuth terminology and roles and try to relate it to your system — for example whether your client is a confidential client or a public client. I think going into more detail about it here would be too far off topic for this Slack 😄