Authorizing requests (i.e. that they come from an authorized, thus authenticated, entity) can be done in many ways.
One way is using the http basic authentication and its improvement, digest authentication. Http basic auth is what you prefer to use.
Another would be to use mTLS between a client (application, not host) and a server.
A third way would be to provide an access token (or API key) to the authenticated entity (or use a session token1) that will be provided with every subsequent request. The access token can be opaque or structured (e.g. JWT) and can be exchanged between the client and the server in a header (e.g. Authorization
or Cookie
), the query string of the request URL or the request body (as a value to a pre-determined key).
Each has its pluses and minuses but, all other things being equal security-wise, replacing an access/session token (or API key) with http basic auth makes little difference. There are, however, reasons (see, for example, here and here) that have led us to move away from http basic auth, of which I'd like to mention the following:
it requires validating the credentials on every request, which can be expensive (CPU-wise) in high traffic sites/APIs
it's more expensive to keep a session like this, should you need it, because it requires two steps to restore the session server-side (validate credentials + lookup of session data). On the other hand, when using a session or access token you just need one (lookup of session data)
in the case of browsers, there are security issues similar to using cookies (e.g. CSRF), due to caching of the credentials at the browser side2
Finally, to answer your question:
[...] does having no session ID introduce any attack vectors [...]
No, as long as you follow best practices on security for the specific authentication method.
1 Session tokens usually refer to stateful conversations (e.g. browser-API interaction), whereas access tokens/API keys usually refer to stateless communication (e.g. software agent-API interaction). See here for a short description of session and access tokens. Also, see here for a reference to the difference between an access token and an API key
2 From here: "Because the BA field has to be sent in the header of each HTTP request, the web browser needs to cache credentials [...]"