I want to set a policy to limit the use of the plone.restapi unless there is a specific token sent from the caller in the header. For example, I want to allow specific mobile apps to use the APIs, but not to open it for the public.
I already check the COSR policy in plone.rest, but looks that web-oriented.
Thanks Jensens for your feedback. I will try it
The point here is that I want to authorize the source initiating the call first, then allow it to make calls to APIs which are well-protected with roles and permissions as they are right now.