api_auth
API key authentication for the public REST API.
All v1 endpoints that require authentication should be decorated with @require_api_key. The decorator:
Reads the “Authorization: Bearer <key>” header.
Looks up the key in the database.
Checks that the key is active and that the owner is not blocked.
Stamps the key’s last_used timestamp.
Attaches request.api_user/request.api_key plus quota context fields.
The decorator also applies @csrf_exempt so that programmatic clients do not need to obtain a CSRF cookie.
Module Contents
- api_auth.require_api_key(view_func)
Decorator that authenticates requests via a Bearer token.
Usage:
@require_api_key def my_view(request):
user = request.api_user key = request.api_key quota_subject = request.api_quota_subject …
- On success, the following attributes are attached:
request.api_user — the ApiUser record tied to this key
request.api_key — the ApiKey instance used for auth
request.api_quota_subject — Redis quota subject tied to this API key
request.api_daily_limit — effective daily limit for this key
request.api_request_ip — source IP of the current request
request.api_ip — legacy alias for the owner’s registered IP