Authentication
This page describes how to authenticate with the ARF API.
Current status
- There is no route-level or global authentication enforced by the API code in this repository. The API routes (including governance endpoints) do not validate API keys, tokens, or other credentials.
What the code provides
- The configuration model (app/core/config.py) exposes an optional
api_keysetting. This can be provided via environment variables or a.envfile (the BaseSettingsenv_fileis configured to read.env).
What this means for you
- Setting
API_KEYin a.envfile or environment variable will populate thesettings.api_key, but the current route implementations do not check this value. - If you require authentication, add a FastAPI dependency or middleware that checks
settings.api_key(or another auth mechanism) and then apply it to routes or include it in a dependency override.
Suggested minimal approach to enable API key checking
- Implement a dependency in
app.api.deps(e.g.,get_api_key) that compares a header value tosettings.api_keyand raiseHTTPException(401)when missing/invalid. - Add that dependency to routers or individual endpoints where auth is required.
Notes
- Tests and example code in this repo currently run without auth.