api_auth

API key authentication for the public REST API.

All v1 endpoints that require authentication should be decorated with @require_api_key. The decorator:

  1. Reads the “Authorization: Bearer <key>” header.

  2. Looks up the key in the database.

  3. Checks that the key is active and that the owner is not blocked.

  4. Stamps the key’s last_used timestamp.

  5. Attaches request.api_user/request.api_key plus quota context fields.

The decorator also applies @csrf_exempt so that programmatic clients do not need to obtain a CSRF cookie.

Module Contents

api_auth.require_api_key(view_func)

Decorator that authenticates requests via a Bearer token.

Usage:

@require_api_key def my_view(request):

user = request.api_user key = request.api_key quota_subject = request.api_quota_subject …

On success, the following attributes are attached:
  • request.api_user — the ApiUser record tied to this key

  • request.api_key — the ApiKey instance used for auth

  • request.api_quota_subject — Redis quota subject tied to this API key

  • request.api_daily_limit — effective daily limit for this key

  • request.api_request_ip — source IP of the current request

  • request.api_ip — legacy alias for the owner’s registered IP