Your exact situation may differ, but in this example, a token is read from an apikey . the user via a certificate or an API key and fall back to a form login). If you're using the default services.yaml configuration, that happens automatically..