class Devise::Strategies::TokenAuthenticatable

a password, you can pass “X” as password and it will simply be ignored.
For HTTP, you can pass the token as username and blank password. Since some clients may require
and http. For the former, all you need to do is to pass the params in the URL:
Strategy for signing in a user, based on a authenticatable token. This works for both params

def authenticate!

def authenticate!
  resource = mapping.to.find_for_token_authentication(authentication_hash)
  return fail(:invalid_token) unless resource
  if validate(resource)
    resource.after_token_authentication
    success!(resource)
  end
end

def authentication_keys

Overwrite authentication keys to use token_authentication_key.
def authentication_keys
  @authentication_keys ||= [mapping.to.token_authentication_key]
end

def params_auth_hash

Try both scoped and non scoped keys.
def params_auth_hash
  if params[scope].kind_of?(Hash) && params[scope].has_key?(authentication_keys.first)
    params[scope]
  else
    params
  end
end

def remember_me?

Do not use remember_me behavior with token.
def remember_me?
  false
end

def store?

def store?
  super && !mapping.to.skip_session_storage.include?(:token_auth)
end

def valid_params_request?

Token Authenticatable can be authenticated with params in any controller and any verb.
def valid_params_request?
  true
end