The following instance variables are always available in an Ocean controller:
The internal ID (a UUID) of the ApiUser to which the X-API-Token belongs, for which the authorisation was made, and for which the present action was authorised. This can be used to BAN expired resources in controller code. NB: it should never be used for any other purpose.
The full URI of the ApiUser to which the X-API-Token belongs, and for which the authorisation was made. This can be used to restrict and/or validate access in controller code.
For the internal use of the app and context system.
This is the X-API-Token header value used to authorise the present controller action. It can be used, for instance, to invalidate all authentications for a particular ApiUser in cases where your backend code has changed the user's privileges extensively.
Cf. this section for more information.