taler-docs

Documentation for GNU Taler components, APIs and protocols
Log | Files | Refs | README | LICENSE
commit fdf4cb517458c0e0bdd3c6752730d77984df2bb8
parent 30aec1e888076b1be4de4e52ed1abaf980a2d17d
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date:   Sun,  6 Jul 2025 16:36:42 +0200

clearer authentication explanation

Diffstat:

Mcore/api-merchant.rst | 13++++++-------


1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/core/api-merchant.rst b/core/api-merchant.rst
@@ -99,13 +99,12 @@ Currently, the ``/private/auth/`` API supports two main authentication methods i
 
 * ``external``: (*@deprecated since vNOEXTAUTH*) With this method, no checks are done by the merchant backend.
   Instead, a reverse proxy / API gateway must do all authentication/authorization checks.
-* ``token`` (**@since v19**): With this method, the client must provide a ``Authorization: Bearer $TOKEN``
-  header when accessing a protected endpoint, where ``$TOKEN`` is an authentication token
-  retrieved from the ``/private/token`` endpoint using basic authorization.
-  A login token is valid only for a limited period of time and can be used by clients to avoid storing the
-  long-term login secrets from an authentication method.
-  The username corresponds to the instance ``$ID``, the password to the instance password ``$INSTANCE_PASSWORD``.
-  The token must be provided as a bearer token with the RFC 8958 prefix (``secret-token``) in the authorization header.
+* ``token`` (**@since v19**): With this method, the client must provide an authorization header
+  that contains a bearer token  when accessing a protected endpoint in the form
+  ``Authorization: secret-token:$TOKEN``.
+  ``$TOKEN`` is an authentication token retrieved from the ``/private/token`` endpoint using basic authorization.
+  The respective username is the instance ``$ID``, and the password the instance password (``$INSTANCE_PASSWORD``).
+  A login token is commonly only valid for a limited period of time and scoped to specific permissions.
   If the ``$INSTANCE_PASSWORD`` is lost, the administrator can set a password
   using the ``taler-merchant-passwd`` command-line tool.
   Any API may also be accessed using the bearer authentication ``secret-token: $INSTANCE_PASSWORD``.