feat(docs,webapp): rename "token {value,itself}" to "token secret"

docs/auth/account.rst

@@ -148,7 +148,7 @@ email address and password to the ``/auth/login/`` endpoint::
         '{"email": "youremailaddress@example.com", "password": "yourpassword"}'
 
 If email address and password match our records, the server will reply with
-``200 OK`` and return the token in the ``token`` field of the response body::
+``200 OK`` and return the token secret in the ``token`` field of the response body::
 
     {
         "created": "2018-09-06T09:07:43.762697Z",
@@ -163,7 +163,7 @@ In case of credential mismatch, the server replies with ``401 Unauthorized``.
 additional token will be created. Existing tokens will *remain valid*.
 
 To authorize subsequent requests with the new token, set the HTTP ``Authorization``
-header to the token value, prefixed with ``Token``::
+header to the token's secret value, prefixed with ``Token``::
 
     curl -X GET https://desec.io/api/v1/ \
         --header "Authorization: Token i-T3b1h_OI-H9ab8tRS98stGtURe"

docs/auth/tokens.rst

@@ -60,7 +60,7 @@ Field details:
     :Type: UUID
 
     Token ID, used for identification only (e.g. when deleting a token). This
-    is *not* the token value.
+    is *not* the token's secret value.
 
 ``is_valid``
     :Access mode: read-only
@@ -127,8 +127,8 @@ Field details:
     :Access mode: read-once
     :Type: string
 
-    Token value that is used to authenticate API requests.  It is only
-    returned once, upon creation of the token.  The value of an existing token
+    The token's secret value that is used to authenticate API requests.  It is only
+    returned once, upon creation of the token.  The secret value of an existing token
     cannot be recovered (we store it in irreversibly hashed form).  For
     security details, see `Security Considerations`_.
 
@@ -248,7 +248,7 @@ The response will contain a token object as described under `Token Field
 Reference`_.  You can use it to check a token's properties, such as name,
 timestamps of creation and last use, or permissions.
 
-**Note:** The response does *not* contain the token value itself!
+**Note:** The response does *not* contain the token's secret value!
 
 
 .. _delete-tokens:
@@ -265,7 +265,7 @@ token ``id`` value::
 
 The server will reply with ``204 No Content``, even if the token was not found.
 
-If you do not have the token UUID, but you do have the token value itself, you
+If you do not have the token ID, but you do have the token secret, you
 can use the :ref:`log-out` endpoint to delete it.
 
 
@@ -396,14 +396,14 @@ Security Considerations
 This section is for purely informational. Token length and encoding may change
 in the future.
 
-Any token is generated from 168 bits of randomness at the server and stored in
-hashed format (PBKDF2-HMAC-SHA256). Guessing the token correctly or reversing
+Any token secret is generated from 168 bits of randomness at the server and stored in
+hashed format (PBKDF2-HMAC-SHA256). Guessing the secret correctly or reversing
 the hash is hence practically impossible.
 
-The token value is represented by 28 characters using a URL-safe variant of
+The token's secret value is represented by 28 characters using a URL-safe variant of
 base64 encoding. It comprises only the characters ``A-Z``, ``a-z``, ``0-9``, ``-``,
 and ``_``. (Base64 padding is not needed as the string length is a multiple of 4.)
 
-Old versions of the API encoded 20-byte tokens in 40 characters with hexadecimal
+Old versions of the API encoded 20-byte token secrets in 40 characters with hexadecimal
 representation. Such tokens are not issued anymore, but remain valid until
 invalidated by the user.

docs/dns/domains.rst

@@ -145,7 +145,7 @@ To create a new domain, issue a ``POST`` request to the ``/api/v1/domains/``
 endpoint, like this::
 
     curl -X POST https://desec.io/api/v1/domains/ \
-        --header "Authorization: Token {token}" \
+        --header "Authorization: Token {secret}" \
         --header "Content-Type: application/json" --data @- <<< \
         '{"name": "example.com"}'
 
@@ -183,7 +183,7 @@ The ``/api/v1/domains/`` endpoint responds to ``GET`` requests with an array of
 `domain object`_\ s. For example, you may issue the following command::
 
     curl -X GET https://desec.io/api/v1/domains/ \
-        --header "Authorization: Token {token}"
+        --header "Authorization: Token {secret}"
 
 to retrieve an overview of the domains you own.  Domains are returned in
 reverse chronological order of their creation, and DNSSEC keys are omitted.
@@ -203,7 +203,7 @@ To retrieve a domain with a specific name, issue a ``GET`` request with the
 ``name`` appended to the ``domains/`` endpoint, like this::
 
     curl -X GET https://desec.io/api/v1/domains/{name}/ \
-        --header "Authorization: Token {token}"
+        --header "Authorization: Token {secret}"
 
 This will return only one domain (i.e., the response is not a JSON array).
 
@@ -224,7 +224,7 @@ The responsible domain for a given DNS query name (``qname``) can be retrieved
 by applying a filter on the endpoint used for `Listing Domains`_, like so::
 
     curl -X GET https://desec.io/api/v1/domains/?owns_qname={qname} \
-        --header "Authorization: Token {token}"
+        --header "Authorization: Token {secret}"
 
 If your account has a domain that is responsible for the name ``qname``, the
 API returns a JSON array containing only that domain object in the response

docs/dns/rrsets.rst

@@ -155,7 +155,7 @@ To create a new RRset, simply issue a ``POST`` request to the
 ``/api/v1/domains/{name}/rrsets/`` endpoint, like this::
 
     curl -X POST https://desec.io/api/v1/domains/{name}/rrsets/ \
-        --header "Authorization: Token {token}" \
+        --header "Authorization: Token {secret}" \
         --header "Content-Type: application/json" --data @- <<< \
         '{"subname": "www", "type": "A", "ttl": 3600, "records": ["127.0.0.1", "127.0.0.2"]}'
 
@@ -193,7 +193,7 @@ about the TLS certificate used by the server that the domain points to.  For
 example, to create a ``TLSA`` RRset for ``www.example.com``, you can run::
 
     curl -X POST https://desec.io/api/v1/domains/{name}/rrsets/ \
-        --header "Authorization: Token {token}" \
+        --header "Authorization: Token {secret}" \
         --header "Content-Type: application/json" --data @- <<EOF
         {
           "subname": "_443._tcp.www",
@@ -222,7 +222,7 @@ sending an array of RRset objects to the ``rrsets/`` endpoint (instead of just
 one), like this::
 
     curl -X POST https://desec.io/api/v1/domains/{name}/rrsets/ \
-        --header "Authorization: Token {token}" \
+        --header "Authorization: Token {secret}" \
         --header "Content-Type: application/json" --data @- <<EOF
         [
           {"subname": "www", "type": "A", "ttl": 3600, "records": ["1.2.3.4"]},
@@ -245,7 +245,7 @@ with an array of `RRset object`_\ s. For example, you may issue the following
 command::
 
     curl -X GET https://desec.io/api/v1/domains/{name}/rrsets/ \
-        --header "Authorization: Token {token}"
+        --header "Authorization: Token {secret}"
 
 to retrieve the contents of a zone that you own.  RRsets are returned in
 reverse chronological order of their creation.
@@ -287,7 +287,7 @@ To retrieve an array of all RRsets from your zone that have a specific type
 like::
 
     curl https://desec.io/api/v1/domains/{name}/rrsets/?type={type} \
-        --header "Authorization: Token {token}"
+        --header "Authorization: Token {secret}"
 
 Query parameters used for filtering are fully compatible with `pagination`_.
 
@@ -300,7 +300,7 @@ To filter the RRsets array by subname (e.g. to retrieve all records in the
 parameter, like this::
 
     curl https://desec.io/api/v1/domains/{name}/rrsets/?subname={subname} \
-        --header "Authorization: Token {token}"
+        --header "Authorization: Token {secret}"
 
 This approach also allows to retrieve all records associated with the zone
 apex (i.e. ``example.com`` where ``subname`` is empty), by querying
@@ -318,7 +318,7 @@ To retrieve an RRset with a specific name and type from your zone (e.g. the
 like this::
 
     curl https://desec.io/api/v1/domains/{name}/rrsets/{subname}/{type}/ \
-        --header "Authorization: Token {token}"
+        --header "Authorization: Token {secret}"
 
 This will return only one RRset (i.e., the response is not a JSON array).  The
 response status code is ``200 OK`` if the requested RRset exists, and ``404
@@ -338,13 +338,13 @@ As an example, you can retrieve the IPv4 address(es) of your domain root by
 running::
 
     curl https://desec.io/api/v1/domains/{name}/rrsets/@/A/ \
-        --header "Authorization: Token {token}"
+        --header "Authorization: Token {secret}"
 
 **Pro tip:** If you like to have the convenience of simple string expansion
 in the URL, you can add three dots after ``{subname}``, like so::
 
     curl https://desec.io/api/v1/domains/{name}/rrsets/{subname}.../{type}/ \
-        --header "Authorization: Token {token}"
+        --header "Authorization: Token {secret}"
 
 With this syntax, the above-mentioned normalization problem does not occur,
 and no special treatment is needed for accessing the zone apex.  You can
@@ -362,7 +362,7 @@ be specified (that is, all fields, including ``subname`` and ``type``).
 Examples::
 
     curl -X PUT https://desec.io/api/v1/domains/{name}/rrsets/{subname}/{type}/ \
-        --header "Authorization: Token {token}" \
+        --header "Authorization: Token {secret}" \
         --header "Content-Type: application/json" --data @- <<EOF
         {
           "subname": "{subname}",
@@ -373,7 +373,7 @@ Examples::
     EOF
 
     curl -X PATCH https://desec.io/api/v1/domains/{name}/rrsets/{subname}/{type}/ \
-        --header "Authorization: Token {token}" \
+        --header "Authorization: Token {secret}" \
         --header "Content-Type: application/json" --data @- <<< \
         '{"ttl": 86400}'
 
@@ -401,7 +401,7 @@ by sending an array of RRset objects to the ``rrsets/`` endpoint (instead of
 just one), like this::
 
     curl -X PUT https://desec.io/api/v1/domains/{name}/rrsets/ \
-        --header "Authorization: Token {token}" \
+        --header "Authorization: Token {secret}" \
         --header "Content-Type: application/json" --data @- <<EOF
         [
           {"subname": "www", "type": "A", "ttl": 3600, "records": ["1.2.3.4"]},
@@ -436,7 +436,7 @@ another one.  This is achieved by sending a bulk request with an RRset that
 has an empty records list ``[]``, using the ``PATCH`` or ``PUT`` method::
 
     curl -X PATCH https://desec.io/api/v1/domains/{name}/rrsets/ \
-        --header "Authorization: Token {token}" \
+        --header "Authorization: Token {secret}" \
         --header "Content-Type: application/json" --data @- <<EOF
         [
           {"subname": "www", "type": "A", "ttl": 3600, "records": ["1.2.3.4"]},
@@ -456,7 +456,7 @@ and ``PUT`` request methods. You can simply send an array of RRset objects
 (instead of just one), like this::
 
     curl -X PATCH https://desec.io/api/v1/domains/{name}/rrsets/ \
-        --header "Authorization: Token {token}" \
+        --header "Authorization: Token {secret}" \
         --header "Content-Type: application/json" --data @- <<EOF
         [
           {"subname": "www", "type": "A", "ttl": 3600, "records": ["1.2.3.4"]},
@@ -667,7 +667,7 @@ Record types with priority field
       to create a ``TXT`` RRset::
 
           curl -X POST https://desec.io/api/v1/domains/{name}/rrsets/ \
-              --header "Authorization: Token {token}" \
+              --header "Authorization: Token {secret}" \
               --header "Content-Type: application/json" --data @- <<< \
               '{"type": "TXT", "records": ["\"test value1\"","\"value2\""], "ttl": 3600}'
 

docs/dyndns/configure.rst

@@ -34,7 +34,7 @@ following details in your router configuration:
 - Update Server ``update.dedyn.io``, or Update URL ``https://update.dedyn.io/``
 - Username (the full name of the domain you want to update, e.g. yourname.dedyn.io)
 - Hostname (same as your username)
-- Token (long random string for authorization, displayed after sign-up)
+- Token secret (long random string for authentication, displayed after sign-up)
 
 **Advanced API users:** The dynDNS token technically is a regular API token.
 You can also use the token to make requests to our REST API. (Currently, all
@@ -75,7 +75,7 @@ DynDNS Provider                 User-defined
 Update URL :superscript:`1`     ``https://update.dedyn.io/?myipv4=<ipaddr>&myipv6=<ip6addr>``
 Domain Name                     <your domain>
 Username :superscript:`2`       <your domain>
-Password :superscript:`3`       <your authorization token>
+Password :superscript:`3`       <your authentication token secret>
 =============================   =====
 
 *Note 1*
@@ -91,7 +91,7 @@ Password :superscript:`3`       <your authorization token>
   details.
 
 *Note 3*
-  A valid access token for the domain. **Not** your deSEC account password!
+  A valid token secret for the domain. **Not** your deSEC account password!
 
 
 Option 2: Use ddclient
@@ -111,7 +111,7 @@ start the configuration process.
 In the configuration process, select "other" dynamic DNS service provider, and
 enter ``update.dedyn.io`` as the dynamic DNS server. Next, tell ddclient to use
 the "dyndns2" protocol to perform updates. Afterwards, enter the username and
-the token that you received during registration. Last, tell ddclient how to
+the token secret that you received during registration. Last, tell ddclient how to
 detect your IP address, your domain name and the update interval.
 
 **Note:** As of the time of this writing, ddclient does not use an encrypted
@@ -123,7 +123,7 @@ Manual configuration (other systems)
 ************************************
 After installing ddclient, you can start with a ``ddclient.conf`` configuration
 file similar to this one, with the three placeholders replaced by your domain
-name and your token::
+name and your token secret::
 
   protocol=dyndns2
   # "use=cmd" and the curl command is one way of doing this; other ways exist
@@ -131,7 +131,7 @@ name and your token::
   ssl=yes
   server=update.dedyn.io
   login=[domain]
-  password='[token]'
+  password='[token secret]'
   [domain]
 
 For more information, check out `these

docs/dyndns/update-api.rst

@@ -41,7 +41,7 @@ API will return a ``401 Unauthorized`` status code.
 
 Preferred method: HTTP Basic Authentication (with token)
 --------------------------------------------------------
-Encode your username and token (provided during registration) in the
+Encode your username and token secret (provided during registration) in the
 ``Authorization: Basic ...`` header. This is the method virtually all dynDNS
 clients use out of the box.
 
@@ -52,7 +52,7 @@ account password (if you have one). Instead, enter your token!
 HTTP Token Authentication
 ------------------------------------------
 Send an ``Authorization: Token  ...`` header along with your request, where
-``...`` is the token issued at registration (or manually created later).
+``...`` is the token secret issued at registration (or manually created later).
 
 Query string method (discouraged)
 ---------------------------------
@@ -61,7 +61,7 @@ Set the ``username`` and ``password`` query string parameters (``GET
 
 **Important:** We **strongly discourage** using this method as it comes with a
 subtle disadvantage: We log all HTTP request URLs for a few days to facilitate
-debugging. As a consequence, this method will cause your secret token to end
+debugging. As a consequence, this method will cause your token secret to end
 up in our log files in clear text. The method is provided as an emergency
 solution where folks need to deal with old and/or crappy clients. If this is
 the case, we suggest looking for another client.
@@ -147,22 +147,22 @@ with your respective values.
 
 Basic authentication with automatic IP detection (IPv4 **or** IPv6)::
 
-  curl --user <your domain>:<your authorization token> https://update.dedyn.io/
+  curl --user <your domain>:<your token secret> https://update.dedyn.io/
 
   curl https://update.dedyn.io/?hostname=<your domain> \
-    --header "Authorization: Token <your authorization token>"
+    --header "Authorization: Token <your token secret>"
 
 Basic authentication with forced use of IPv6 (will remove IPv4 address from the DNS)::
 
-  curl --user <your domain>:<your authorization token> https://update6.dedyn.io/
+  curl --user <your domain>:<your token secret> https://update6.dedyn.io/
 
   curl https://update6.dedyn.io/?hostname=<your domain> \
-    --header "Authorization: Token <your authorization token>"
+    --header "Authorization: Token <your token secret>"
 
 Basic authentication with simultaneous update of IPv4 and IPv6::
 
-  curl --user <your domain>:<your authorization token> \
+  curl --user <your domain>:<your token secret> \
     "https://update.dedyn.io/?myipv4=1.2.3.4&myipv6=fd08::1234"
 
   curl "https://update6.dedyn.io/?hostname=<your domain>?myipv4=1.2.3.4&myipv6=fd08::1234" \
-    --header "Authorization: Token <your authorization token>"
+    --header "Authorization: Token <your token secret>"

docs/index.rst

@@ -20,7 +20,7 @@ pretty-print JSON output, process the data through ``jq``:  ``curl ... | jq .``.
 sometimes do not work. In this case, try moving the request payload in front
 of the ``curl`` call, like this::
 
-    echo {"name": "example.com"} | curl -X POST https://desec.io/api/v1/domains/ --header "Authorization: Token {token}" --header "Content-Type: application/json" --data @-
+    echo {"name": "example.com"} | curl -X POST https://desec.io/api/v1/domains/ --header "Authorization: Token {secret}" --header "Content-Type: application/json" --data @-
 
 
 .. toctree::

docs/quickstart.rst

@@ -40,7 +40,7 @@ Here's a quick intro how to get started:
         --header "Content-Type: application/json" --data @- <<< \
         '{"email": "youremailaddress@example.com", "password": "yourpassword"}'
 
-   The response body will contain an ``token`` which is used to
+   The response body will contain a ``token`` secret which is used to
    authenticate requests to the DNS management endpoints as demonstrated in
    the next step.
 
@@ -51,7 +51,7 @@ Here's a quick intro how to get started:
 #. Create a DNS zone::
 
     curl -X POST https://desec.io/api/v1/domains/ \
-        --header "Authorization: Token {token}" \
+        --header "Authorization: Token {secret}" \
         --header "Content-Type: application/json" --data @- <<< \
         '{"name": "example.com"}'
 

www/webapp/src/views/DynSetup.vue

@@ -27,13 +27,13 @@
             </p>
             <h2 class="title">Set Up Your Domain</h2>
             <p>
-              All operations on your domain require the following authorization token listed below:
+              All operations on your domain require the following authorization token secret shown below:
             </p>
             <p align="center">
               <code>{{token}}</code>
             </p>
             <p>
-              Please keep this token in a safe place.
+              Please keep this token secret in a safe place.
               If lost, it cannot be recovered and must be replaced with a new token.
             </p>
             <p>

www/webapp/src/views/TokenList.vue

@@ -18,8 +18,8 @@ export default {
         texts: {
           banner: () => ('<strong>New feature:</strong> You can now configure your tokens for finer access control. Check out the advanced settings switch above!'),
           create: () => ('<p>You can create a new API token here. The token is displayed after submitting this form.</p>'),
-          createBottom: () => ('<p><strong>Warning:</strong> Be sure to protect your tokens appropriately! Knowledge of an API token allows performing actions on your behalf.</p>'),
-          createSuccess: (item) => `Your new token is: <code>${item.token}</code><br />It is only displayed once.`,
+          createBottom: () => ('<p><strong>Warning:</strong> Be sure to protect your token secrets appropriately! Knowledge of an API token allows performing actions on your behalf.</p>'),
+          createSuccess: (item) => `Your new token's secret value is: <code>${item.token}</code><br />It is only displayed once.`,
           destroy: d => (d.name ? `Delete token with name "${d.name}" and ID ${d.id}?` : `Delete unnamed token with ID ${d.id}?`),
           destroyInfo: () => ('This operation is permanent. Any devices using this token will no longer be able to authenticate.'),
           destroyWarning: d => (d.id == store.state.token.id ? 'This is your current session token. Deleting it will invalidate the session.' : ''),
@@ -103,7 +103,7 @@ export default {
           },
           value: {
             name: 'item.value',
-            text: 'Token',
+            text: 'Secret',
             align: 'left',
             sortable: false,
             value: 'value',