# API Authentication - Introduction

Hyperion has an authorization system allowing users to login via password, and
applications to login with tokens. The user can configure how strong or weak the Hyperion API should be protected from the `Configuration` -> `Network Services` screens on the Web UI.

## Token System
Tokens are a simple way to authenticate an App for API access. They can be created in
the UI on the `Configuration` -> `Network Services` panel (the panel appears when `API
Authentication` options is checked). Your application can also [request a Token](https://api.hyperion-project.org/requesttoken-16311741e0.md) via the API.

## Authentication Workflow

Recommended workflow for your application to authenticate:

<Steps>
  <Step title="Request a token">
    Execute a [requestToken](https://api.hyperion-project.org/requesttoken-16311741e0.md) call annotating it with a meaningful comment which identifies the token's requestor, e.g. an application name or device) and a short randomly created `id` (numbers/letters).
      The `comment` and `id` fields are presented to the user for decision making.
  </Step>
  <Step title="Wait for the response">
    The user needs to accept or deny the token request via Hyperion's Web UI.
  </Step>
  <Step title="On success">
    The call will return a UUID token.
      Save the token somewhere for further use. The token does not expire.
:::info[]
Be aware that a user can revoke the token any time. It will continue to work for currently connected sessions.
:::
  </Step>
  <Step title="On error">
    No token created as either the user denied the request or it timed out (180s)
  </Step>    
</Steps>