## Supervisor Authentication

The supervisor has two authentication systems:

1. An authentication system based on scoped symmetric API keys.
2. An authentication of the signatures of a job's canonical representation.

The first is used to control access to the supervisor API, the second is used to authenticate the signatories of a job, such that the runners can implement access control based on the signatories.

#### API Key Management

API keys are used to authenticate requests to the supervisor. They are created using the `auth.key.create` method and can be listed using the `key.list` method.

#### API Key Scopes

API keys have a scope that determines what actions they can perform. The following scopes are available:

- `admin`: Full access to all supervisor methods.
- `registrar`: Access to methods related to job registration and management.
- `user`: Access to methods related to job execution and management.

#### API Key Usage

API keys are passed as a header in the `Authorization` field of the request. The format is `Bearer <key>`.

#### API Key Rotation

API keys can be rotated using the `key.remove` method. This will invalidate the old key and create a new one.