The {rfc-site}/rfc6455#section-10.5 [WebSocket protocol, RFC 6455] "doesn’t prescribe any particular way that servers can authenticate clients during the WebSocket handshake." In practice, however, ...