Adding Application Key

I have just read the post on how to use JWT for authentication. Which is fine for user login. I also wanted to implement an application key. This is to allow particular phones and browsers to be validated to use the server.

That is I want to restrict the system by device as well.

Any suggestion on how to implement it? Incorporated with JWT perhaps? I can save the key on the device using IndexDB.

It is unclear how you expect this to work.
Are you going to server side validate such particular application key?
If so, how will the server know about these keys?
If you have another scheme in mind, please provide sufficient details.

Its an inhouse application for staff only. But its on the web. So, I don't want the public to view anything. Some of the content (even menus) are confidential. Even though the webapp has no-index tags and there is no internal link on the website, Google will eventually find it and people may link to it.

I am using the terms key, token etc losely in the following.

I was thinking that

• When the application detects it has not been registered on that device, it asks for an application key (master password).
• On entry, it communicates with the server, fetches a token and saves it to local storage or indexdb.
• This authorises that browser/device to be used.
• Then the application menus and the purpose of the app are visible.
• The user can now log in
• So for authentication, I want to send the token, username and password for every REST call.

This also stops the staff from running it on their own devices, unless the Operational Manager authorises that device.

Maybe as easier alternative, you could use fingerprintjs GitHub - fingerprintjs/fingerprintjs: The most advanced browser fingerprinting library.
and have your server only respond to "known" fingerprints?