(((meta (@ (content . "Access token") (name . "title"))) (meta (@ (content . "manual") (name . "role"))) (meta (@ (content . "#authentication #configuration #manual #security #zettelstore") (name . "tags"))) (meta (@ (content . "zmk") (name . "syntax"))) (meta (@ (content . "00001010000000 00001012000000") (name . "back"))) (meta (@ (content . "00001004010000 00001010000000 00001012000000 00001012050200") (name . "backward"))) (meta (@ (content . "1") (name . "box-number"))) (meta (@ (content . "(c) 2020-present by Detlef Stern ") (name . "copyright"))) (meta (@ (content . "20210126175322") (name . "created"))) (meta (@ (content . "00001004010000 00001012050200 00001012050400 00001014000000") (name . "forward"))) (meta (@ (content . "en") (name . "lang"))) (meta (@ (content . "EUPL-1.2-or-later") (name . "license"))) (meta (@ (content . "20241213101607") (name . "modified"))) (meta (@ (content . "20241213101607") (name . "published"))) (meta (@ (content . "public") (name . "visibility")))) (p "If an user is authenticated, an " (@L (@H "“") "access token" (@H "”")) " is created that must be sent with every request to prove the identity of the caller." " " "Otherwise the user will not be recognized by Zettelstore.") (p "If the user was authenticated via the " (a (@ (href . "00001014000000")) "web user interface") ", the access token is stored in a " (a (@ (href . "https://en.wikipedia.org/wiki/HTTP_cookie#Session_cookie") (rel . "external")) (@L (@H "“") "session cookie" (@H "”"))) "." " " "When the web browser is closed, these cookies are not saved." " " "If you want web browser to store the cookie as long as lifetime of that token, the owner must set " (kbd "persistent-cookie") " of the " (a (@ (href . "00001004010000")) "startup configuration") " to " (kbd "true") ".") (p "If the web browser remains inactive for a period, the user will be automatically logged off, because each access token has a limited lifetime." " " "The maximum length of this period is specified by the " (kbd "token-lifetime-html") " value of the startup configuration." " " "Every time a web page is displayed, a fresh token is created and stored inside the cookie.") (p "If the user was authenticated via the API, the access token will be returned as the content of the response." " " "Typically, the lifetime of this token is more short term, e.g. 10 minutes." " " "It is specified by the " (kbd "token-lifetime-api") " value of the startup configuration." " " "If you need more time, you can either " (a (@ (href . "00001012050200")) "re-authenticate") " the user or use an API call to " (a (@ (href . "00001012050400")) "renew the access token") ".") (p "If you remotely access your Zettelstore via HTTP (not via HTTPS, which allows encrypted communication), you must set the " (kbd "insecure-cookie") " value of the startup configuration to " (kbd "true") "." " " "In most cases, such a scenario is not recommended, because user name and password will be transferred as plain text." " " "You could make use of such scenario if you know all parties that access the local network where you access the Zettelstore."))