Currently authenticating with token_auth works in all modules. We would want to restrict to API module, because there is no need for users to use this mechanism to login.
chuckdeal97 please see your feature request in #283 ; feel free to submit any ideas or patches
reopening as I am now convinced that Widgetize is another special case where token_auth should work, at least until #283 is implemented.
I am a bit confused; I generated the widget and manually added the token_auth in the widget URL, eg.``` module=Widgetize&action=iframe&.......&token_auth=$TOKEN_AUTH
And the widgets loaded fine. I thought this wasn't working. This means this bug is invalid; the downside is that you have to manually add the token_auth in the widget URLs but this is expected, as we do not want users to expose by mistake their token_auth, hence why we removed it from the URL.
(In ) Fixes #5655 clarifying documentation regarding widget authentication