Elonn Docs Platform Documentation

token

identity canonical authority: api.elonn.local

Token

A credential issued by the API service after successful authentication. Tokens identify the authenticated member across all service calls.

Allowed:

  • API token
  • auth token
  • elonn_api_token (the cookie name)
  • Bearer token (when transmitted via Authorization header)

Forbidden:

  • key (too generic)
  • password (a token is not a password)
  • secret (describes storage requirement, not the object)
  • JWT (the token format is an implementation detail; not a product term)

Notes:

  • The token is transmitted as the elonn_api_token HTTP cookie in browser contexts.
  • In service-to-service calls, world forwards the filtered cookie to social and other services. The filtering function (serviceCookieHeader) strips all cookies except elonn_api_token.
  • Tokens are validated by calling the API service. No service validates tokens locally.
  • CalDAV clients use the member's normal account identifier and password; no separate DAV token is issued.

Related:

  • session (auth session; see: session)
  • member
  • api