1) if the user is authenticated via ORCID on the web interface she can
create a new token by say a form that gives takes a name (string) and is submitted by a button "Generate new Token"
this will generate a random token and add the token name + the token to the User. (probably tokens should be their own table, and a User should be able to have multiple tokens)
2) if the user wants to use the API, she should be able to do something like
curl -u <orcid>:<token> http://api.recast.....
3) on the user page, we can show a list of token "names", but should never show a list of token values (becasue essentially they are a password)
the way this should work:
1) if the user is authenticated via ORCID on the web interface she can
2) if the user wants to use the API, she should be able to do something like
3) on the user page, we can show a list of token "names", but should never show a list of token values (becasue essentially they are a password)