There are two authentication schemes that we allow from the oasis-client and the developer-gateway.

• api token authentication. The user needs to pass an api token to the gateway when using the oasis-client. Currently the api token is passed up to https://github.com/oasislabs/oasis.js/blob/master/packages/gateway/src/index.ts#L115, but it needs to be passed to the HttpSession so it can be used. The api token needs to be sent on all requests using the header X-OASIS-LOGIN-TOKEN, which the developer-gateway already expects.

• google oauth. We need to see how the client can get a google oauth token from the user, and the gateway can use this token to send requests to the developer-gateway, that then the developer-gateway can verify with google and authenticate the requests.