As described in security architecture, Light uses two tokens to secure service
to service calls. One token is the original token from the login user that has original
caller information and possible additional info for fine-grained authorization. This token
is called Subject Token.
The Subject Token represents a person and it has user_id and potential additional user info.
There are two way to get this token.
Authorization Grant Flow for OAuth 2.0 provider
This token is passed in request header “Authorization” in most of the cases and if the token
contains scope info to access the immediate API/service, then no Access Token is needed. This
is the situation webserver as a client calling APIs.