Clarify authentication and token management

keymanager-oapi.yaml

@@ -12,9 +12,12 @@ info:
     All requests by default send and receive JSON, and as such should have either or both of the "Content-Type: application/json"
     and "Accept: application/json" headers.
 
-    All sensitive routes are to be authenticated with a token. This token should be provided by the user via a secure channel:
-      - Log the token to stdout when running the binary with the key manager API enabled
-      - Read the token from a file available to the binary
+    All sensitive routes MUST be authenticated with a token.
+
+    The key manager binary SHOULD accept a configuration parameter: `token-file`, which designates a file containing the hex-encoded token
+    of at least 256 bits. If such a parameter is not given, the client SHOULD generate such a token and write it to a file, to be reused
+    across multiple restarts of the binary. If such a parameter is given, but the file or token cannot be read, the client SHOULD treat this
+    as an error: either abort the startup, or show the error and continue without exposing the key manager routes.
   version: "v1.0.0"
   contact:
     name: Ethereum Github
@@ -63,7 +66,7 @@ components:
     bearerAuth:
       type: http
       scheme: bearer
-      bearerFormat: URL safe token, optionally JWT
+      bearerFormat: URL safe, opaque token
 
   schemas:
     Pubkey: