So I want to write my own authentication scheme for a web-app server, as follows. I assume this is a Bad Idea from either security or cost-effectiveness reasons and I know the conventional wisdom is using an existing library, but I'd be happy for pointers as to where exactly I would be going wrong, since this scheme seems both secure and easy to build.

In Pseudo-API, I would respond to the following:

1. POST /login,signup (+username, passwd) -> create and return token for this user. (Save user<->token relationship on server.)

2. POST /logout -> destroy token for this user on server. (Destroy user<->nothing relationship on server.)

3. POST /any-action (+token) -> perform action if token is correct. (user and token match user<->token on server.)

Is the above an insecure paradigm?