From 426daab6265df27dcee6e8e7c54b77e4f2d68e19 Mon Sep 17 00:00:00 2001
From: Samy OUBOUAZIZ <soubouaziz@scaleway.com>
Date: Tue, 18 Nov 2025 17:44:53 +0100
Subject: [PATCH 1/3] docs(srv): add doc on new auth method MTA-6708

---
 .../how-to/create-auth-token-from-console.mdx | 37 ++++++++++++++-----
 1 file changed, 27 insertions(+), 10 deletions(-)

diff --git a/pages/serverless-containers/how-to/create-auth-token-from-console.mdx b/pages/serverless-containers/how-to/create-auth-token-from-console.mdx
index b004eabdc5..c5824f7423 100644
--- a/pages/serverless-containers/how-to/create-auth-token-from-console.mdx
+++ b/pages/serverless-containers/how-to/create-auth-token-from-console.mdx
@@ -20,25 +20,42 @@ This page shows you how to create and manage an authentication token from the Sc
 
 ## Creating authentication tokens from the Scaleway console
 
-1. Click **Containers** in the **Serverless** section of the side menu. The Serverless Containers page displays.
+<Tabs id="token-serverless">
+  <TabsTab label="Scaleway IAM">
+    1. [Create an IAM application](/iam/how-to/create-application/) that will be used as a principal for the policy granting access to your private container.
 
-2. Click the relevant containers namespace to see a list of containers in this namespace.
+    2. [Create an API key](/iam/how-to/create-api-keys/) for your application. Store the secret key securely, as it is only shown once.
 
-3. Click the name of the relevant container in the **Containers** tab. The container's details display.
+    3. [Create an IAM policy](/iam/how-to/create-policy/) with the following elements:
+        - **Scope**: the desired Project(s)
+        - **Principal**: the application you just created
+        - **Permission set**:  `ContainersPrivateAccess`
+    
+    You can now [use your private key as a token](#using-tokens) to call private containers.
+  </TabsTab>
+  <TabsTab label="JWT (legacy)">
+    1. Click **Containers** in the **Serverless** section of the side menu. The Serverless Containers page displays.
 
-4. Click the **Security** tab. A list of settings displays.
+    2. Click the relevant containers namespace to see a list of containers in this namespace.
 
-5. Click **Generate token** in the **Tokens** panel. A pop-up displays.
+    3. Click the name of the relevant container in the **Containers** tab. The container's details display.
 
-6. Enter the token description and set an expiration date for the token. Optionally, tick the box **No expiration date**, to have a token with unlimited validity. Then, click **Generate token**.
+    4. Click the **Security** tab. A list of settings displays.
 
-7. Copy the token from the pop-up and store it in a safe environment.
+    5. Click **Generate token** in the **Tokens** panel. A pop-up displays.
 
-    <Message type="important">
+    6. Enter the token description and set an expiration date for the token. Optionally, tick the box **No expiration date**, to have a token with unlimited validity. Then, click **Generate token**.
 
-    The token key will only be available for copy once. Make sure to store it securely before leaving the page.
+    7. Copy the token from the pop-up and store it in a safe environment.
+
+        <Message type="important">
+
+        The token key will only be available for copy once. Make sure to store it securely before leaving the page.
+
+        </Message>
+  </TabsTab>
+</Tabs>
 
-    </Message>
 
 ## Using tokens
 

From 7ac466b9cf06f45e1920f451f6c0e45c9d1410b4 Mon Sep 17 00:00:00 2001
From: Samy OUBOUAZIZ <soubouaziz@scaleway.com>
Date: Wed, 19 Nov 2025 09:31:54 +0100
Subject: [PATCH 2/3] docs(srv): update

---
 .../how-to/create-auth-token-from-console.mdx                    | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pages/serverless-containers/how-to/create-auth-token-from-console.mdx b/pages/serverless-containers/how-to/create-auth-token-from-console.mdx
index c5824f7423..bb7a038f01 100644
--- a/pages/serverless-containers/how-to/create-auth-token-from-console.mdx
+++ b/pages/serverless-containers/how-to/create-auth-token-from-console.mdx
@@ -8,7 +8,6 @@ dates:
 ---
 import Requirements from '@macros/iam/requirements.mdx'
 
-
 This page shows you how to create and manage an authentication token from the Scaleway console.
 
 <Requirements />

From 68d4245f6c60d86da524efab29a5a3cd6e362d0c Mon Sep 17 00:00:00 2001
From: Samy OUBOUAZIZ <soubouaziz@scaleway.com>
Date: Wed, 19 Nov 2025 15:40:45 +0100
Subject: [PATCH 3/3] docs(srv): update

---
 .../how-to/create-auth-token-from-console.mdx | 58 ++++++++++++-------
 1 file changed, 36 insertions(+), 22 deletions(-)

diff --git a/pages/serverless-containers/how-to/create-auth-token-from-console.mdx b/pages/serverless-containers/how-to/create-auth-token-from-console.mdx
index bb7a038f01..6398fd893d 100644
--- a/pages/serverless-containers/how-to/create-auth-token-from-console.mdx
+++ b/pages/serverless-containers/how-to/create-auth-token-from-console.mdx
@@ -1,9 +1,9 @@
 ---
-title: How to create and manage an an authentication token from the console
-description: How to create an auth token from the Scaleway console.
-tags: authentication authentication-token containers auth
+title: How to manage authentication for private containers
+description: This page explains how to manage authentication to call private containers
+tags: authentication authentication-token containers auth iam access api secret key
 dates:
-  validation: 2025-11-18
+  validation: 2025-11-19
   posted: 2022-10-14
 ---
 import Requirements from '@macros/iam/requirements.mdx'
@@ -17,7 +17,9 @@ This page shows you how to create and manage an authentication token from the Sc
 - [Created a containers namespace](/serverless-containers/how-to/create-manage-delete-containers-namespace/)
 - [Deployed a container](/serverless-containers/how-to/deploy-container/)
 
-## Creating authentication tokens from the Scaleway console
+## Managing authentication from the Scaleway console
+
+Serverless containers used to rely on a legacy token-based authentication to call private containers. [Scaleway IAM](/iam/) offers a modern way to access private resources using API keys.
 
 <Tabs id="token-serverless">
   <TabsTab label="Scaleway IAM">
@@ -55,40 +57,52 @@ This page shows you how to create and manage an authentication token from the Sc
   </TabsTab>
 </Tabs>
 
+## Calling private containers
 
-## Using tokens
-
-To use your token, you have to add the generated token to a `X-Auth-Token` header.
+To call a private container, you have to add the **secret key** of the [previously created API key](#managing-authentication-from-the-scaleway-console) to a `X-Auth-Token` header.
 
 A **private** container observes this behavior:
 
 * If a call is made without the `X-Auth-Token` header, the call is rejected (status code `403`)
-* If the `X-Auth-Token` header is provided, the token is validated using a public key attached to the namespace.
+* If the `X-Auth-Token` header is provided, the token is validated using the IAM API public key corresponding to the private key provided.
 
-For example, to execute a private container by providing a token using `curl`, run the following command:
+For example, to execute a private container by providing a secret key using `curl`, run the following command:
 
 ```bash
-curl -H "X-Auth-Token: <YOUR_CONTAINER_TOKEN>" <YOUR_CONTAINER_ENDPOINT>
+curl -H "X-Auth-Token: <API_SECRET_KEY>" <YOUR_CONTAINER_ENDPOINT>
 ```
 
-## Deleting tokens
+## Revoking authentication
 
-Tokens will expire by default on their given expiry date. You can delete them manually if they are no longer needed.
+<Tabs id="revoke-authentication">
+  <TabsTab label="Scaleway IAM">
+    To revoke authentication for your container, you can either:
+    - remove the `ContainersPrivateAccess` permission set from the IAM policy
+    - delete the IAM policy targeting the IAM application bearing the API key
+    - delete the API key of your IAM application
+    - delete the IAM application holding the API key
 
-1. Click **Containers** in the **Serverless** section of the side menu. The Serverless Containers page displays.
+  </TabsTab>
+  <TabsTab label="JWT (legacy)">
+    Tokens will expire by default on their given expiry date. You can delete them manually if they are no longer needed.
 
-2. Click the relevant containers namespace to see a list of containers in this namespace.
+    1. Click **Containers** in the **Serverless** section of the side menu. The Serverless Containers page displays.
 
-3. Click the name of the relevant container in the **Containers** tab. The container's details display.
+    2. Click the relevant containers namespace to see a list of containers in this namespace.
 
-4. Click the **Security** tab. A list of settings displays.
+    3. Click the name of the relevant container in the **Containers** tab. The container's details display.
 
-5. Click <Icon name="delete" /> next to the token you want to delete in the **Tokens** panel. A pop-up displays.
+    4. Click the **Security** tab. A list of settings displays.
+
+    5. Click <Icon name="delete" /> next to the token you want to delete in the **Tokens** panel. A pop-up displays.
 
-6. Confirm by clicking **Delete token** to delete the token and to revoke access to the container.
+    6. Confirm by clicking **Delete token** to delete the token and to revoke access to the container.
+
+        <Message type="important">
 
-    <Message type="important">
+          This action is irreversible, and this token will not be able to access your container anymore.
 
-      This action is irreversible, and this token will not be able to access your container anymore.
+        </Message>
+  </TabsTab>
+</Tabs>
 
-    </Message>