OCPI uses token-based authentication and SSL over the HTTP transport later. OCPI does not require client-side certificates for authentication, only server-side certificates to set up secure SSL.
All OCPI HTTP requests require an 'Authorization' header in the following format:
Authorization: Token IpbJOXxkxOAuKR92z0nEcmVF3Qw09VG7I7d/WCg0koM=
In the context of OCPI, this is called the 'credentials token' which is exchanged via the Credentials Module.
Please note that this is not to be confused with charging authorization 'Tokens' that are exchanged by the 'Token Module'.
If the header is missing or the credentials token doesn’t match any known party then the Evnex OCPI server will respond with an HTTP 401 - Unauthorized status code.