2đź‘Ť
When you are dealing with authentication between your own API, your client, and a third-party API, you never want to expose the token for the third-party application to your clients. I’ve covered this in the past on Stack Overflow for python-social-auth, which I recommend looking at for django-allauth as well.
You have said you are using django-rest-auth, which maintains a single token per user that is shared across multiple clients. This is very similar to the TokenAuthentication that Django REST Framework provides, and it carries many of the same drawbacks. Because all clients share the same authentication token for a user, all clients will be affected if the token has to be revoked for any reason. Even worse, django-rest-auth allows users to explicitly “log out”, which immediately revokes the token for everyone. This works well if only one or two clients will be using your API, and they can handle tokens mysteriously disappearing, but it does not work well for anything larger. It also does not support multiple tokens for users, which is what you are looking for.
I typically recommend for APIs to use a token-based authentication like OAuth, and django-oauth-toolkit tends to be the recommended one for Django REST Framework. This will allow you to essentially proxy requests between the third party and your client, while keeping tokens for users unique to the client. As the tokens are unique to the client, you will not need to worry about a token being revoked or expiring for one client affecting another client, as the tokens will be independent of each other.
OAuth is used by many of the “big names” out there, like Stack Exchange, Google, and Facebook. While it does not directly support the concept of “logging out”, it is usually recommended that you create your own pages for users of your application to revoke tokens for applications, so they have control over who can and can’t access the API on their behalf.