mirror
/
tiangolo.fastapi
mirror of https://github.com/tiangolo/fastapi
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5676 Commits
20 Branches
208 Tags
163 MiB
 
Tree: dc57add93c
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'dc57add93c'
${ noResults }
tiangolo.fastapi/docs/en/docs/advanced/security/api-key.md

2.3 KiB
Raw Blame History

API Key Authentication

Another authentication method, particularly for machine-to-machine communication, is an API key. An API key is a string that the application will expect with each request from a particular client. The API key can be sent as a header, a cookie, or a query parameter.

If the API key is missing or invalid, the application returns an HTTP 401 "Unauthorized" error to the client.

/// warning

It is generally recommended to use API keys for programmatic access only, and to keep the API Key secret between the client(s) authenticated by the key and the server. Depending on your use case, this may mean storing this value in an environment variable or encrypted database (instead of hard-coding it, as in the examples below), and even providing a unique API key for each client trying to authenticate.

///

Simple API Key Auth using Header

  • Import APIKeyHeader.
  • Create an APIKeyHeader, specifying what header to parse as the API key.
  • Create a verify_api_key function that checks the API Key in the Header.
  • Add Depends(verify_api_key) either globally or to a single endpoint (see example)
{!../../docs_src/security/tutorial008.py!}

The client will need to send a request with the correct header:

GET /secure-data HTTP/1.1
X-API-Key: mysecretapikey

API Key Auth using Cookies

The process is similar to using APIKeyHeader, except we use a APIKeyCookie instance, instead:

{!../../docs_src/security/tutorial009.py!}

The client will then need to pass in the key as a cookie (note that the name of the cookie is case-sensitive!):

GET /secure-data HTTP/1.1
Cookie: X-API-KEY=mysecretapikey

https://fastapi.tiangolo.com/reference/security/?h=apikeyheader#api-key-security-schemes

API Key Auth using Query Param

/// warning Passing API keys via query params is considered less secure, since it will be visible as part of the URL (for example, in browser history or access logs). ///

Again, similar to the approaches above, except we use APIKeyQuery:

{!../../docs_src/security/tutorial010.py!}

The client will then need to pass in the key as part of the query param:

GET /secure-data?x-api-key=mysecretapikey HTTP/1.1