Authentication requests from DAPR app api token

[vermillionsword]

URL of the docs page

https://docs.dapr.io/operations/security/app-api-token/

How is it currently worded?

HTTP
In case of HTTP, in your code look for the HTTP header dapr-api-token in incoming requests:

dapr-api-token:
gRPC
When using gRPC protocol, inspect the incoming calls for the API token on the gRPC metadata:

dapr-api-token[0].

How should it be worded?

HTTP
In case of HTTP, in your code look for the HTTP header dapr-api-token in incoming requests:

app-api-token:
gRPC
When using gRPC protocol, inspect the incoming calls for the API token on the gRPC metadata:

app-api-token[0].

Screenshots

Additional context

It appears that according to the documentation the dapr-api-token is being reused as the app api token. Is this correct or are they 2 separate tokens as I surmise?

[alicejgibbons]

This documentation is in fact correct although, I agree, it is confusing. Essentially in the presence of the env var or k8s secret app-api-token, the Dapr sidecar will always include the HTTP header/gRPC metadata dapr-api-token: <token> in the calls to the app. So from the app side, you need to ensure that you are authenticating using the dapr-api-token value even though you set app-api-token to enable API auth. Does this make sense?

[yaron2]

@vermillionsword would you like to submit a PR that improves the text?