(zettel (meta (back "00001010000000 00001012000000") (backward "00001004010000 00001010000000 00001012000000 00001012050200") (box-number "1") (created "00010101000000") (forward "00001004010000 00001012050200 00001012050400 00001014000000") (modified "20211202120950") (published "20211202120950") (role "manual") (syntax "zmk") (tags "#authentication #configuration #manual #security #zettelstore") (title "Access token")) (rights 4) (encoding "") (content "If an user is authenticated, an \"\"access token\"\" is created that must be sent with every request to prove the identity of the caller.\nOtherwise the user will not be recognized by Zettelstore.\n\nIf the user was authenticated via the [[web user interface|00001014000000]], the access token is stored in a [[\"\"session cookie\"\"|https://en.wikipedia.org/wiki/HTTP_cookie#Session_cookie]].\nWhen the web browser is closed, theses cookies are not saved.\nIf you want web browser to store the cookie as long as lifetime of that token, the owner must set ''persistent-cookie'' of the [[startup configuration|00001004010000]] to ''true''.\n\nIf the web browser remains inactive for a period, the user will be automatically logged off, because each access token has a limited lifetime.\nThe maximum length of this period is specified by the ''token-lifetime-html'' value of the startup configuration.\nEvery time a web page is displayed, a fresh token is created and stored inside the cookie.\n\nIf the user was authenticated via the API, the access token will be returned as the content of the response.\nTypically, the lifetime of this token is more short term, e.g. 10 minutes.\nIt is specified by the ''token-lifetime-api'' value of the startup configuration.\nIf you need more time, you can either [[re-authenticate|00001012050200]] the user or use an API call to [[renew the access token|00001012050400]].\n\nIf you remotely access your Zettelstore via HTTP (not via HTTPS, which allows encrypted communication), your must set the ''insecure-cookie'' value of the startup configuration to ''true''.\nIn most cases, such a scenario is not recommended, because user name and password will be transferred as plain text.\nYou could make use of such scenario if you know all parties that access the local network where you access the Zettelstore."))