I have looked at the Multi-user and Http API examples and I feel passing username and password via CLI or elsewhere is a bit old school (and insecure), could we have API tokens that can be scoped.

By default, the API token can do everything, but it can also be narrowed down to only certain type of calls by Method type or specific to certain API end points, etc… The later specialisation maybe could be handled inside the app by the developer.

But main question is how do we make Anvil generate API tokens instead of username and password.

You can create your own API tokens and use them to look up permissions in a data table to tell you what that token should be able to do. If you’re creating your own API for public consumption, you’ll need a way for users to create and manage their own tokens, so you’re building a user interface for that anyway.

Thanks for your reply.

This might be a sort of workaround, rather than a functionality like User services provides. I still think there is room for improvement here. And a seamless API generation, revocation and usage thru Anvil.works is highly desirable.