token
Token
A credential issued by the API service after successful authentication. Tokens identify the authenticated member across all service calls.
Allowed:
- API token
- auth token
- elonn_api_token (the cookie name)
- Bearer token (when transmitted via Authorization header)
Forbidden:
- key (too generic)
- password (a token is not a password)
- secret (describes storage requirement, not the object)
- JWT (the token format is an implementation detail; not a product term)
Notes:
- The token is transmitted as the
elonn_api_tokenHTTP cookie in browser contexts. - In service-to-service calls, world forwards the filtered cookie to social and other services. The filtering function (
serviceCookieHeader) strips all cookies exceptelonn_api_token. - Tokens are validated by calling the API service. No service validates tokens locally.
- CalDAV clients use the member's normal account identifier and password; no separate DAV token is issued.
Related:
- session (auth session; see: session)
- member
- api