how to do token auth?

Unless I'm misunderstanding what you mean by token auth, generally what you mean is something like OAuth, or Oauth2. Essentially, you pass the username and password via SSL to your server, and your server returns a couple of tokens, the first being the Refresh token and the second being the auth token, usually good for a specific length of time like 1 hour. Your device then includes the token in the URL when it connects each time to the server. If the token is not in the URL then your server rejects or ignores the request. So any connection to the server would use the stored token, until it expires, at which point you would use your Refresh Token to get a new auth token. That is one approach.

Another is to have a unique key stored on the device that all requests are signed with. The signature is usually the URL parameters, sorted alphabetically, and signed with the key as an MD5 hash or using SHA256 or SHA128. Each url expires within a few moments after it is used, and a new signature is generated **on the roku** from the locally stored key for each URL request. Again, your server rejects or ignores any non-signed URLs. The signature has to match the content of the URL parameters. You could generate the signing key on your server and return it via SSL when the user enters their username and password, or when the user Links their device to your website.

Most cases though, the key (usually called the developer key) is used for all devices, and would be hard-coded into the application.

- Joel