How to securely authenticate users with external collection


I’m trying to better understand current best practice for connecting to an external collection. In my scenario, I’d like to connect to a REST API that I built so I can obtain my list of “widgets.” Below is my thought process so far, please feel free to make suggestions!

Idea #1: Don’t use authentication on the REST service.
This won’t work for my needs, but its a starting point. If I don’t require users to authenticate at the REST API level, I can have any user request the widgets the user cares about.

Idea #2: Use a per-user hard coded JWT token
This is better, but its still not very secure. I was reading this post from May 2021, in which @ColinWinhall was showing another poster how to use a variable for a JWT token in a connection: Variables support for JWT Authentication | Voters | Adalo. With this, I could put a per-user variable in the database and store their hardcoded token. JWT tokens would have to be permanent and could not be allowed to expire.

Idea #3: Refresh the per-user JWT token when it expires
This would be my real goal. I’d still storing the user’s JWT token in the Adalo database which I don’t love, but it’s the best I’ve come up with so far.

Is #3 possible? Are there better ways I could be trying to do this?