API token (X-API-Token) — demo

Token issued out-of-band; submitted on every request. The data endpoint enforces the token at the Nginx layer; this explainer page is unprotected so consumers can read instructions.

Demo token (review only)

eps-stakeholder-demo-2026

Real deployments would issue per-consumer tokens via a small token-issuing service or AWS Secrets Manager.

Without the token (gets a 401)

$ curl -i https://team-epsilon.cloud/files/token/data
HTTP/2 401
content-type: text/plain

Missing or invalid X-API-Token header. See /files/token/ for instructions.

With the token (returns the listing)

$ curl -i -H "X-API-Token: eps-stakeholder-demo-2026" https://team-epsilon.cloud/files/token/data
HTTP/2 200
content-type: application/json

{
  "files": [
    {"path": "flask_apps/dradis.sqlite", "size": 14918450, "modified": "2026-04-29T04:17:00Z"},
    {"path": "geoserver/world_eez/eez_v12.shp", "size": 315621376, "modified": "2025-11-30T22:11:00Z"},
    {"path": "home/kdecot/projects/coastal-model/run01.nc", "size": 2469072896, "modified": "2026-04-21T02:08:00Z"}
  ]
}

What this gate actually does

Nginx checks the X-API-Token header against a configured value. Real deployments would either:

Look up the token in AWS Secrets Manager (rotation-friendly)
Verify it as a JWT signed by the issuer (stateless, claims-aware)
Hand it off to a small Lambda / sidecar that does both

← back to access options