# Token Endpoint ## Purpose Expose an `/api/token` endpoint on waldo.webdav.acequia.io that reads the `auth_token` HttpOnly cookie and returns it in the response body. This allows client-side pages to display the user's token for copy/paste use (e.g., for WebDAV clients, curl, or agent configuration). ## Endpoint ``` GET /api/token ``` ### Behavior 1. Read the `auth_token` cookie from the request (sent automatically by the browser) 2. If present, return the raw JWT string as `text/plain` 3. If absent, return `401 Unauthorized` ### Response ``` HTTP/1.1 200 OK Content-Type: text/plain eyJhbGciOiJQUzI1NiIs... ``` ### Server Implementation ```js app.get('/api/token', (req, res) => { const token = req.cookies?.auth_token; if (!token) return res.status(401).send('No token'); res.type('text/plain').send(token); }); ``` ### Client Usage ```js const res = await fetch('/api/token'); const token = await res.text(); ``` ## Route naming: `/api/token` vs `/api/token` ### `/api/token` — strengths - Short, memorable, easy to tell students verbally - Direct — the route name is exactly what it returns - No pretense of a larger API surface that doesn't exist - Consistent with simple utility endpoints like `/register.html`, `/login` - Students can type it in the browser bar directly to see their token ### `/api/token` — weaknesses - Occupies a top-level route — if you ever want a directory or page called `token`, it's taken - No namespace separation between static files and dynamic endpoints - Harder to apply blanket middleware (auth, rate limiting, CORS) to "all API routes" since there's no common prefix - Convention: other developers expect dynamic endpoints under `/api/` ### Recommendation For a small server like waldo that serves a specific purpose, `/api/token` is fine. The `/api/` prefix exists to separate concerns on larger apps where static files and dynamic routes coexist under ambiguous paths. Waldo is a WebDAV server with a few utility pages — a flat namespace is clearer than a hierarchy that implies more structure than exists. If the server grows to have more dynamic endpoints, refactor to `/api/token` then. Premature namespacing is the same instinct as premature abstraction.