First you need to be an admin and create an external service. name it openapi-server. only allow certain authenticated users to create ws tokens.
then you need to choose the authenticated users.
then you need to add allowed functions to the external service.
Then you need to create a ws token for the external service. you should turn off the valid until option.