# Federation

Server-to-server endpoints for federated group access. Remote servers request tokens on behalf of their users by signing requests with the user's private key via HTTP Signatures. No standard authentication is required; requests are validated through cryptographic signatures.

## Issue a group federation token (server-to-server)

 - [POST /api/v1/federation/tokens](https://docs.wellesley.social/openapi/federation/paths/~1api~1v1~1federation~1tokens/post.md): Issues a short-lived token for a remote user to access a specific group. The request must be signed with the user's private key using HTTP Signatures (ActivityPub). The user must be a member of the requested group. This is a server-to-server endpoint and does not require standard authentication; it relies on cryptographic HTTP signature verification.

## Request a federation token for a remote group

 - [POST /api/v1/groups/{groupId}/federation-token](https://docs.wellesley.social/openapi/federation/paths/~1api~1v1~1groups~1%7Bgroupid%7D~1federation-token/post.md): Proxies a federation token request to a remote group server. The server signs the request on behalf of the authenticated user using HTTP Signatures. Returns a short-lived token that can be used for direct API calls to the remote group server. Only works for remote (federated) groups; local groups return an error. The user must be a member of the target group. Authentication is required.