Users can access their items via API. Authentication via API token. No public access to items.

lib/generic_rest_server_web/user_auth.ex

@@ -284,4 +284,20 @@ defmodule GenericRestServerWeb.UserAuth do
   end
 
   defp maybe_store_return_to(conn), do: conn
+
+  ## API
+
+  def fetch_current_scope_for_api_user(conn, _opts) do
+    with [<<bearer::binary-size(6), " ", token::binary>>] <-
+           get_req_header(conn, "authorization"),
+         true <- String.downcase(bearer) == "bearer",
+         {:ok, user} <- Accounts.fetch_user_by_api_token(token) do
+      assign(conn, :current_scope, Scope.for_user(user))
+    else
+      _ ->
+        conn
+        |> send_resp(:unauthorized, "No access for you")
+        |> halt()
+    end
+  end
 end