A authenticated user (having a validated token titok) is able to renew his titok or restrict the scope (roles or domains) of the initial titok.
post /auth/ak
header : Authorization : Bearer [titok]
Body:
{
"scopes": ["r1","r2"],
"domains": ["d1", "d2"]
}
Remark: any admin could generate titok for any user (the scopes and domains should be valid for the given user):
post /auth/ak?mode=server
header : Authorization : Bearer [titok]
Body:
{
"internalid": "123",
"externalid": "456",
"scopes": ["r1","r2"],
"domains": ["d1", "d2"]
}