commit 537cdd4577ad663ce00a1af912fd996537347c4d
parent 22cbf5720f74b90c9d6aaef6d287a5d74bb87550
Author: Florian Dold <florian@dold.me>
Date: Tue, 2 Mar 2021 13:50:15 +0100
merchant auth
Diffstat:
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/core/api-merchant.rst b/core/api-merchant.rst
@@ -83,7 +83,15 @@ Examples:
Authentication
--------------
-TODO
+Each merchant instance has separate authentication settings for the private API resources
+of that instance.
+
+Currently, the API supports two auth methods:
+
+* ``external``: With this method, no checks are done by the merchant backend.
+ Instead, a reverse proxy / API gateway must do all authentication/authorization checks.
+* ``token``: With this method, the client must provide a ``Authorization: Bearer $TOKEN``
+ header, where ``$TOKEN`` is a secret authentication token configured for the instance.
-----------------
Configuration API
