openbao new documentation draft

@@ -30,1 +43,3 @@
-*Hint: To be able to use OpenBao it has to be unsealed first. This happens automatically. While unsealing an initial token is being created. To access this token just run the **./getpassword.sh** script.*
+How does gaining access to OpenBao secrets work?
+
+![authentication layout](https://openbao.org/assets/images/openbao-auth-workflow-cfa532248968cdd9f3fd16e8c02c1b49.png)

@@ -31,0 +46,4 @@
+
+
+
+-	**Authentication:** Before a human or machine can gain any access, an administrator must configure OpenBao with an auth method. When a client tries to log in to OpenBao, the system checks client’s data against an internal or external (see *Validation* below) system. Once authenticated, Vault generates an **access token** for the client. This token is then used for every action performed in OpenBao.

@@ -31,0 +51,4 @@
+    <b style="color:orange">Note: the administrator can provide you with an already generated access token</b>
+
+-	**Validation:** If trusted third-party credential repositories (e.g., GitHub, LDAP, AppRole) are specified, OpenBao forwards authentication to them.
+-	**Authorization:** Vault applies policies based on the authentication method and rules set by the admin to the token that was generated during authentication. Policies provide a declarative way to grant or forbid access to certain **paths** and **operations** in OpenBao.

@@ -79,1 +184,3 @@
----
+
+## 🔨 How to use it?
+