Web console login|
As of now, when accessing the web console, you will be prompted to log in. To log in, you will be redirected to the master address (using --public-master, --master, or the autodetected master IP, in that order).
You'll still need to accept certificates both for the web console host/port and the master host/port, but because the log in actually happens against the master, the need to accept the master host/port certificate is much more obvious now.
By default, any username/password combination is accepted and provisions a user with that identity under the "anypassword" identity provider.
If you need an API token, the easiest way to get it is to go to <master>/oauth/token/request in a browser. Again, you'll be prompted to log in, then an API token will be generated for you.