Some of the API requests (especially the ones that are read-only GET requests) do not require any authenication. The other ones, that modify data into the database, require broker authentication via API key. Additionally, owner tokens are issued to facilitate multiple actor roles upon object creation.
API key is username to use with Basic Authenication scheme (see :rfc:`2617#section-2`).
The token is issued when object is created in the database:
You can see the access with token in response. Its value can be used to modify objects further under "Owner role".
You can pass access token in the following ways:
- acc_token URL query string parameter
- X-Access-Token HTTP request header
- access.token in the body of POST/PUT/PATCH request
See the example of the action with token passed as URL query string: