API token authentication

Summary

API token authentication is a simple authentication mechanism that allows the client to authenticate. The server is not authenticated with the client, so it is not mutual authentication.

Details

Usually API tokens are send via a Authorization: Bearer TOKENSTRING header. Sometimes also X-API-TOKEN: TOKENSTRING is used.

Token-based authentication must only be allowed if TLS encryption is active.

Risks

Critical: If no TLS encryption is used then tokens can be read by interceptors.
Normal:
Minor:

Verification & Validations

Access protected routes with and without token. Only with token content should be returned.

Important Stakeholders

OTP. Clarify with @borufka , whether this or #446 are preferable for OTP, and when one of these should be implemented.

Implementation Suggestions (optional)

There are different ways to implement this.

Generally, authentication and encryption can to some extend be implemented via a reverse proxy (e.g., Traefik) using specific plugins, such as api-key-middleware. E.g., multiple clients can be configured each with their own token.

Another option is to natively implement this in WESkit itself.

Edited Nov 05, 2025 by Philip Reiner Kensche

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information