Configuring a reverse proxy to apply authentication, or issuing client certificates, is laborious. It hampers the initial setup flow in environments that already have other means of authentication.

It should be possible to configure one or more static tokens, which the client is expected to provide through some out-of-band means, that allows the request to continue.

These tokens would likely be provided on startup by passing one or more --token command line arguments. As other processes may be able to inspect the command, it might be wise to also support environment variables for this process, perhaps a comma seperated list in WGAPI_TOKEN.

As for providing the token, HTTP headers are convenient and many JSON-RPC clients support this explicitely for authentication. A decision must be made to what header and format is used, for example:

• Authorization: Token <token>
• Authorization: Basic base64(<token>:)
• Wgapi-Token: <token>

This should be decided based on the ease of configuration in popular JSON-RPC clients.