commit 7bc73f4a6da05bac4707d1d8ef93283894d45c3d
parent 3ef1480c35cf756935371587f760b0aa438dba62
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Thu, 19 Jun 2025 14:51:02 +0200
update API to allow token with password
Diffstat:
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/core/api-merchant.rst b/core/api-merchant.rst
@@ -102,7 +102,7 @@ Currently, the ``/private/auth/`` API supports two main authentication methods i
* ``external``: With this method, no checks are done by the merchant backend.
Instead, a reverse proxy / API gateway must do all authentication/authorization checks.
-* ``password`` (**v42**): With this method, the client must provide a ``Authorization: Bearer $TOKEN``
+* ``token`` (**v42**): With this method, the client must provide a ``Authorization: Bearer $TOKEN``
header when accessing a protected endpoint, where ``$TOKEN`` is an authentication token
retrieved from the ``/private/token`` endpoint using basic authorization.
A login token is valid only for a limited period of time and can be used by clients to avoid storing the
@@ -118,7 +118,7 @@ Currently, the ``/private/auth/`` API supports two main authentication methods i
Notice that this behaviour is deprecated and will be phased out in favor of login tokens.
* ``token`` (*deprecated*): With this method, the client must provide an authentication token in
the format ``secret-token: $INSTANCE_PASSWORD``.
- The behaviour is then equivalent to the ``password`` method above.
+ The behaviour is then equivalent to the ``token`` method above.
Any API may be accessed using the bearer authentication ``secret-token: $INSTANCE_PASSWORD``.
Notice that this behaviour is deprecated and will be phased out in favor of login tokens.
@@ -1181,19 +1181,20 @@ Setting up instances
// gateway must do the authentication.
// "token": (deprecated) The merchant checks an auth token.
// See "token" for details.
- // "password": APIs use login tokens retrieved from the /private/token
+ // See "token" for details.
+ // Since v42: APIs use login tokens retrieved from the /private/token
// endpoint.
// See "password" for details.
- method: "external" | "token" | "password";
+ method: "external" | "token";
- // For method "token", this field is mandatory.
+ // Deprecated: For method "token", this field is mandatory.
// The token MUST begin with the string "secret-token:".
// After the auth token has been set (with method "token"),
// the value must be provided in a "Authorization: Bearer $token"
// header.
token?: string;
- // For method "password", this field is mandatory.
+ // Since v42: For method "token", this field is mandatory.
// Authentication against the /private/token endpoint
// is done using basic authentication with the configured password
// in the "password" field. Tokens are passed to other endpoints for
