The Token Authentication allows users with a given permissions to create Access Tokens. An Access Token can be used instead of the user account login to authenticate requests and gain access to server URLs based up on the Token configuration.

A user's account is required to have the Token Authentication permission (see Users and Groups manager) to create personal Access Tokens. An Access Token is configured with certain server URL contexts that this token will allow access to. The users account is required to have the specific system permission or access may still be denied.

There are two types of Token: Bearer and HMAC. The difference is, that using the Bearer Token implies sending this information over a public (secure) channel to the server with every request. But it can be statically defined on the client side. The HMAC Token requires calculations of a Hash value using the secret key and the content to be sent to the server.

Note: Due to the required Authentication header, including the keyword Bearer it is advised that the Bearer Token Authentication login provider is defined prior to any OAuth based login provider. Every OAuth login provider are checked one after the other with this token resulting in a performance issue when defined first.