docs(srv): add doc on new auth method MTA-6708

pages/serverless-containers/how-to/create-auth-token-from-console.mdx

@@ -1,14 +1,13 @@
 ---
-title: How to create and manage an an authentication token from the console
-description: How to create an auth token from the Scaleway console.
-tags: authentication authentication-token containers auth
+title: How to manage authentication for private containers
+description: This page explains how to manage authentication to call private containers
+tags: authentication authentication-token containers auth iam access api secret key
 dates:
-  validation: 2025-11-18
+  validation: 2025-11-19
   posted: 2022-10-14
 ---
 import Requirements from '@macros/iam/requirements.mdx'
 
-
 This page shows you how to create and manage an authentication token from the Scaleway console.
 
 <Requirements />
@@ -18,61 +17,92 @@ This page shows you how to create and manage an authentication token from the Sc
 - [Created a containers namespace](/serverless-containers/how-to/create-manage-delete-containers-namespace/)
 - [Deployed a container](/serverless-containers/how-to/deploy-container/)
 
-## Creating authentication tokens from the Scaleway console
+## Managing authentication from the Scaleway console
+
+Serverless containers used to rely on a legacy token-based authentication to call private containers. [Scaleway IAM](/iam/) offers a modern way to access private resources using API keys.
+
+<Tabs id="token-serverless">
+  <TabsTab label="Scaleway IAM">
+    1. [Create an IAM application](/iam/how-to/create-application/) that will be used as a principal for the policy granting access to your private container.
 
-1. Click **Containers** in the **Serverless** section of the side menu. The Serverless Containers page displays.
+    2. [Create an API key](/iam/how-to/create-api-keys/) for your application. Store the secret key securely, as it is only shown once.
 
-2. Click the relevant containers namespace to see a list of containers in this namespace.
+    3. [Create an IAM policy](/iam/how-to/create-policy/) with the following elements:
+        - **Scope**: the desired Project(s)
+        - **Principal**: the application you just created
+        - **Permission set**:  `ContainersPrivateAccess`
+
+    You can now [use your private key as a token](#using-tokens) to call private containers.
+  </TabsTab>
+  <TabsTab label="JWT (legacy)">
+    1. Click **Containers** in the **Serverless** section of the side menu. The Serverless Containers page displays.
 
-3. Click the name of the relevant container in the **Containers** tab. The container's details display.
+    2. Click the relevant containers namespace to see a list of containers in this namespace.
 
-4. Click the **Security** tab. A list of settings displays.
+    3. Click the name of the relevant container in the **Containers** tab. The container's details display.
 
-5. Click **Generate token** in the **Tokens** panel. A pop-up displays.
+    4. Click the **Security** tab. A list of settings displays.
 
-6. Enter the token description and set an expiration date for the token. Optionally, tick the box **No expiration date**, to have a token with unlimited validity. Then, click **Generate token**.
+    5. Click **Generate token** in the **Tokens** panel. A pop-up displays.
 
-7. Copy the token from the pop-up and store it in a safe environment.
+    6. Enter the token description and set an expiration date for the token. Optionally, tick the box **No expiration date**, to have a token with unlimited validity. Then, click **Generate token**.
 
-    <Message type="important">
+    7. Copy the token from the pop-up and store it in a safe environment.
 
-    The token key will only be available for copy once. Make sure to store it securely before leaving the page.
+        <Message type="important">
 
-    </Message>
+        The token key will only be available for copy once. Make sure to store it securely before leaving the page.
 
-## Using tokens
+        </Message>
+  </TabsTab>
+</Tabs>
 
-To use your token, you have to add the generated token to a `X-Auth-Token` header.
+## Calling private containers
+
+To call a private container, you have to add the **secret key** of the [previously created API key](#managing-authentication-from-the-scaleway-console) to a `X-Auth-Token` header.
 
 A **private** container observes this behavior:
 
 * If a call is made without the `X-Auth-Token` header, the call is rejected (status code `403`)
-* If the `X-Auth-Token` header is provided, the token is validated using a public key attached to the namespace.
+* If the `X-Auth-Token` header is provided, the token is validated using the IAM API public key corresponding to the private key provided.
 
-For example, to execute a private container by providing a token using `curl`, run the following command:
+For example, to execute a private container by providing a secret key using `curl`, run the following command:
 
 ```bash
-curl -H "X-Auth-Token: <YOUR_CONTAINER_TOKEN>" <YOUR_CONTAINER_ENDPOINT>
+curl -H "X-Auth-Token: <API_SECRET_KEY>" <YOUR_CONTAINER_ENDPOINT>
 ```
 
-## Deleting tokens
+## Revoking authentication
+
+<Tabs id="revoke-authentication">
+  <TabsTab label="Scaleway IAM">
+    To revoke authentication for your container, you can either:
+    - remove the `ContainersPrivateAccess` permission set from the IAM policy
+    - delete the IAM policy targeting the IAM application bearing the API key
+    - delete the API key of your IAM application
+    - delete the IAM application holding the API key
+
+  </TabsTab>
+  <TabsTab label="JWT (legacy)">
+    Tokens will expire by default on their given expiry date. You can delete them manually if they are no longer needed.
 
-Tokens will expire by default on their given expiry date. You can delete them manually if they are no longer needed.
+    1. Click **Containers** in the **Serverless** section of the side menu. The Serverless Containers page displays.
 
-1. Click **Containers** in the **Serverless** section of the side menu. The Serverless Containers page displays.
+    2. Click the relevant containers namespace to see a list of containers in this namespace.
 
-2. Click the relevant containers namespace to see a list of containers in this namespace.
+    3. Click the name of the relevant container in the **Containers** tab. The container's details display.
 
-3. Click the name of the relevant container in the **Containers** tab. The container's details display.
+    4. Click the **Security** tab. A list of settings displays.
 
-4. Click the **Security** tab. A list of settings displays.
+    5. Click <Icon name="delete" /> next to the token you want to delete in the **Tokens** panel. A pop-up displays.
 
-5. Click <Icon name="delete" /> next to the token you want to delete in the **Tokens** panel. A pop-up displays.
+    6. Confirm by clicking **Delete token** to delete the token and to revoke access to the container.
 
-6. Confirm by clicking **Delete token** to delete the token and to revoke access to the container.
+        <Message type="important">
 
-    <Message type="important">
+          This action is irreversible, and this token will not be able to access your container anymore.
 
-      This action is irreversible, and this token will not be able to access your container anymore.
+        </Message>
+  </TabsTab>
+</Tabs>
 
-    </Message>