To access protected resources, a Taskcluster client must have credentials consisting of a clientId and an accessToken (and, if using temporary credentials, a certificate).

These credentials are used with the Hawk protocol to authenticate each HTTP request. The clientId is passed as the id parameter, and accessToken is passed as the key parameter.

If given, the certificate is passed as ext.certificate to the Hawk.client.header method. The ext value is a base64-encoded JSON string.

In JavaScript:

var header = Hawk.client.header('', 'GET', {
  credentials: {
    clientId: clientId,
    accessToken: accessToken,
  ext: new Buffer(JSON.stringify({certificate: certificate})).toString('base64'),

Given this information, the Hawk protocol (as defined by its Javascript implementation) signs the HTTP request, and the resulting token is placed in the Authorization header.