Authentication
We use a form of OAuth for authentication. There are 2 types of resources who can authenticate. Users and devices, we will discuss those here.
Users
A user can create a token by posting valid email and password to /oauth/token.
The token is stored as a cookie named access_token on the api domain.
Whenever we do api calls to authorized controllers this token is used to get the current user.
Devices
A device can create a token by posting a valid pairing code to /workplace/device-token
The token is stored as a cookie named device_token on the api domain.
For this token to be used when calling authorized controllers a header needs to be includes.
The header is ResourceOwnerType=Device.
When this header is included only the device is authorized and the user access token is ignored.