I noticed that you can create an « api_key », but when you do this, the token in the session does not have a value in the « valid_until » field, so requests made with the api_key are systematically rejected.
Is this intentional? In development? A bug? Not meant to be used? 
You’re talking about Gladys Plus, right?
If so, that’s not normal, it’s supposed to work.
I talk about it in my live stream « Technical Presentation of Gladys Plus » at 39:16:
Ok, I’ll take a closer look at it 
Since I was able to create an api_key without the gladys plus, I thought there was a « local » usage.
Ah ok I understand what you saw in the code It’s a relic, I must have done some tests at some point during the alpha, but it’s not used or functional.
On the other hand, there is an open API accessible from anywhere in the world with Gladys Plus.
You have documentation on the site:
A simple example to send a new sensor value:
POST https://api.gladysgateway.com/v1/api/device/state/YOUR_OPEN_API_KEY
Body:
{
"device_feature_external_id": "mqtt:my-phone-presence",
"state": 1
}
It works on its own and at least it’s accessible from anywhere!
Ok, the goal, since I’m migrating from Gladys3 to Gladys4, is for my Zoneminder to trigger a scene when motion is detected, so everything stays local. Therefore, the api_key suits me well to avoid regenerating a token each time via a script. 
Ah, in that case why not go through the MQTT API? It’s the simplest and I think zoneminder can send MQTT
Otherwise, if you can’t get this to work, you can always go through Node-RED as I show in my latest video on YouTube
Yes, I thought about MQTT but it requires me to create a « fake » device of type « motion-detected », it was my fallback solution
It seems to me like a good solution, there’s nothing wrong with creating a dummy device