I'm trying to implement a full development with REST Spray. There is an argument that I have not yet figured out and I have not found documented: how to protect the routes for authentication / authorization? I would just use a token - based authentication through a header of the request.

At the moment Spray implements only basic security mechanisms. It comes with HTTP basic authentication implemented and some cookie support.

It makes sense not to include more specific security implementations because every project implements it differently. Although Oauth implementation would be useful in many cases. There might be projects that provide that for Spray.

Token based authentication sounds like a good general choice.