Can't use HASSIO_TOKEN to authenticate with Websocket API

[qJake]

The problem

When authenticating to the websocket API via Javascript, providing a token obtained via the HASSIO_TOKEN environment variable (via an add-on) returns the error: Invalid access token or password.

Environment

Home Assistant 0.103.5 and 0.105.2
Hass.io (HassOS v3.9)
Websocket API Documentation

Problem-relevant configuration.yaml

You just need frontend: which enables the default websocket API.

Traceback/Error logs

Log of Websocket communication:

{"type": "auth_required", "ha_version": "0.105.2"}

{"type":"auth","access_token":"6c941fe7.....................eccd711837117"}

{"type": "auth_invalid", "message": "Invalid access token or password"}

Additional information

The documentation here should be clearer in terms of what types of tokens can be used and what can't, if this is not supported.

If this is not a supported scenario, how is an addon running in Hass.io supposed to authenticate to the Websocket API if it only has its token from the HASSIO_TOKEN env variable?

[probot-home-assistant]

Hey there @home-assistant/core, mind taking a look at this issue as its been labeled with a integration (websocket_api) you are listed as a codeowner for? Thanks!

[frenck]

You have to use the API endpoint from the Supervisor and not talk directly to the Core. The API token is valid for the Supervisor, available on:

http://supervisor/core/api && http://supervisor/core/websocket.

(So it is valid for use internally, not externally)

PS: HASSIO_TOKEN has been renamed to SUPERVISOR_TOKEN.