Rudder

The API will be likely used by script, so we decided to split authentication for API from the one for Rudder user.

In place, we are going to use a dedicated admin page in Rudder, where we will be able to create new API authentication principals.

A principal is composed of:

- an ID (used for example as the actor in event logs)
- a token (a big random alpha-numeric secret, used for authentication)
- a description (to explain the intent for that principal, like "archiving script will use that token)

Principal can be added, what generate a token for them. They can be deleted, to. A token can be regenerated and revoked (principal marked as "can not authenticate").

From an API point of view, authentication is given ONLY with the authentication token (which must be uniq among all principals) in a header, so that the API call will look like:

curl -H "X-API-Token: the_token" https://rudder/api/...

Authentication token will be stored in some persistent media (likely to be our LDAP server).