Secure sessions with passwords
The tokens could be further secured with passwords, for example by extending the URL used with {password}
, e.g. /run/{token}/
to /run/{token}/{password}/
and checking if it is correct for the token. If even more security is necessary the password could instead be placed as a header of the request so that it is encrypted for HTTPS requests. The password should be optional to be backwards compatible.