Static Token Authentication

Use static token auth when a service caller presents a fixed bearer secret managed by your team.

What this method does

• Authorization: Bearer <token>
• X-Client-ID
• X-Profile-ID

When to use

• Trusted system-to-system integrations
• Low-complexity environments without external identity federation
• Controlled partner integrations with strict rotation policy

How to configure

1. Set profile auth type to token.
2. Store token value in profile or credential-backed configuration.
3. Bind profile to allowed collections and methods.
4. Apply policy limits before publishing.

Example

curl -i https://gateway.example.com/orders/123 \
  -H "Authorization: Bearer $TOKEN" \
  -H "X-Client-ID: acme-mobile" \
  -H "X-Profile-ID: partner-prod" \
  -H "Accept: application/json"

Verify

1. Valid token + correct profile -> 200.
2. Missing or altered token -> 401.
3. Wrong X-Profile-ID -> 403.
4. Blocked method -> 405.

Troubleshoot

• 401: token mismatch or missing Authorization header.
• 403: client/profile scope does not include target route.
• 429: policy limits exceeded; check quotas and burst settings.

Related docs

• Access Control Overview
• Profiles
• Policies
• Request Logs