--server-token-auth

Requires a bearer token on every request. Pass the shared token, and clients send it as an Authorization: Bearer <token> header. A request without it, or with a wrong token, gets 401. The comparison is constant-time.

Combine with --server-signed-url to let GET requests authorize by signature instead of a header. A valid token always authorizes; a signature is checked only when no token is sent.