My colleague and I are planning to develop a web and mobile application. The web application will be built using Django, and we'll also create an API using Django REST Framework. The mobile application will be developed using qml/C++ in QT.
We're currently wondering how to implementing user login functionality. As far as we understand, when a user tries to log in, we should send their username and password by the API. Subsequently, these credentials will be authenticated by API, and an authentication token will be sent back to the mobile application that will be using in all further requests from mobile app. Is this the correct approach? How the login credentials should be sent to the API. Should they be sent in the URL, in the headers, or should we consider using different methods altogether?