[feature] Application creation + management via API + settings panel (#3906)

* [feature] Application creation + management via API + settings panel

* fix docs links

* add errnorows test

* use known application as shorter

* add comment about side effects

docs/api/authentication.md

@@ -2,6 +2,9 @@
 
 Using the client API requires authentication. This page documents the general flow for retrieving an authentication token with examples for doing this on the CLI using `curl`.
 
+!!! tip
+    If you want to get an API access token via the settings panel instead, without having to use the command line, see the [Application documentation](https://docs.gotosocial.org/en/latest/user_guide/settings/#applications).
+
 ## Create a new application
 
 We need to register a new application, which we can then use to request an OAuth token. This is done by making a `POST` request to the `/api/v1/apps` endpoint. Replace `your_app_name` in the command below with the name you want to use for your application:
@@ -19,18 +22,15 @@ curl \
 
 The string `urn:ietf:wg:oauth:2.0:oob` is an indication of what is known as out-of-band authentication - a technique used in multi-factor authentication to reduce the number of ways that a bad actor can intrude on the authentication process. In this instance, it allows us to view and manually copy the tokens created to use further in this process.
 
-Note that `scopes` can be any space-separated combination of:
-
-- `read`
-- `write`
-- `admin`
+!!! tip "Scopes"
+    It is always good practice to grant your application the lowest tier permissions it needs to do its job. e.g. If your application won't be making posts, use `scope=read` or even a subscope of that.
+    
+    In this spirit, "read" is used in the example above, which means that the application will be restricted to only being able to do "read" actions.
+    
+    For a list of available scopes, see [the swagger docs](https://docs.gotosocial.org/en/latest/api/swagger/).
 
 !!! warning
-    GoToSocial does not currently support scoped authorization tokens, so any token you obtain in this process will be able to perform all actions on your behalf, including admin actions if your account has admin permissions. Nevertheless, it is always good practice to grant your application the lowest tier permissions it needs to do its job. e.g. If your application won't be making posts, use scope=read.
-   
-    In this spirit, "read" is used in the example above, which means that in the future when scoped tokens are supported, the application will be restricted to only being able to do "read" actions.
-   
-    You can read more about additional planned OAuth security features [right here](https://github.com/superseriousbusiness/gotosocial/issues/2232).
+    GoToSocial did not support scoped authorization tokens before version 0.19.0, so if you are using a version of GoToSocial below that, then any token you obtain in this process will be able to perform all actions on your behalf, including admin actions if your account has admin permissions.
 
 A successful call returns a response with a `client_id` and `client_secret`, which we are going need to use in the rest of the process. It looks something like this:
 
@@ -126,7 +126,6 @@ See this example:
 
 ```bash
 curl \
-  -H 'Content-Type: application/json' \
   -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
   'https://example.org/api/v1/accounts/verify_credentials'
 ```
@@ -140,7 +139,6 @@ For example, you can issue another `GET` request to the API using the same acces
 
 ```bash
 curl \
-  -H 'Content-Type: application/json' \ 
   -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
   'https://example.org/api/v1/notifications'
 ```