Hi @meandus - @tiangolo has a full example that includes that functionality: https://github.com/tiangolo/full-stack-fastapi-postgresql/tree/cd112bd683dcb9017e5f84c0ed3e4974a52e5571/%7B%7Bcookiecutter.project_slug%7D%7D/backend/app/app

and plenty of tutorial info here: https://fastapi.tiangolo.com/tutorial/security/intro/

Also - the Gitter channel is already pretty active for these types of questions: https://gitter.im/tiangolo/fastapi

Thanks @wshayes for your help here! Much appreciated as always 🎉

@meandus if you can use OAuth2, that tutorial and the project generator might help. If somehow you explicitly need something different than OAuth2, with some custom APIKeyHeader (as defined in OpenAPI), yes, it is supported, but it is not properly documented yet.

I suggest you check the security section in the docs shared by William, and after knowing how it works, if you need to explicitly use APIKeyHeader instead of OAuth2, you can from fastapi.security.api_key import APIKeyHeader.

At least while I update the docs with those specifics... 😁

@meandus it depends mostly on your setup, how are you deploying, if you have CI, etc. These kinds of things normally go in environment variables. You can also put them in a file that you read. If the repo is public, then you don't commit that file, just use it during deployment.

If you use the project generators, those settings are read from environment variables, and are passed as environment variables by Docker, reading them from Docker config files.

Great! Thanks for reporting back.

It would be really great if someone could at least paste an example of how these headers might be used, i seem to be going through file after file of source code trying to track down anything that I could use as a reference to how to get an API KEY passed via a header to be used as authentication, and i'm not having any luck!
Thanks!

I ended up working it out, here's how i solved the problem

security.py

from fastapi import Depends, HTTPException
from fastapi.security import APIKeyHeader
from starlette import status


X_API_KEY = APIKeyHeader(name='X-API-Key')


def check_authentication_header(x_api_key: str = Depends(X_API_KEY)):
    """ takes the X-API-Key header and converts it into the matching user object from the database """

    # this is where the SQL query for converting the API key into a user_id will go
    if x_api_key == "1234567890":
        # if passes validation check, return user data for API Key
        # future DB query will go here
        return {
            "id": 1234567890,
            "companies": [1, ],
            "sites": [],
        }
    # else raise 401
    raise HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Invalid API Key",
    )

main.py

...
from fastapi import APIRouter, Depends
from models import Result, User
from security import check_authentication_header
...
@app.get("/result/", response_model=List[Result])
def result(user: User = Depends(check_authentication_header)):
    """ return a list of test results """
    print('user', user)
    ...

Looks like the beginnings of another great blog article :)

@tiangolo any ideas on where this documentation should go?
I'll try and work on it this week

@bendog Thanks for the code snippet! Would be great if you could add it to the documentation with a bit more explanation :-)

I want to add that you obviously need to create a User model first (it confused me that you return a dict but annotate it as a User in main.py).

@moreinhardt Sounds good, which file should I use in the repo to create my draft?

I don't see any references to this anywhere else in the code. Is this still relevant @tiangolo ? If so I could give it a go :)

@bendog I don't really understand the difference between Security(X_API_KEY) vs Depends(X_API_KEY).

@st3fan can you link me to the docs about Security(X_API_KEY)?
This might have been added since I solved my database driven API key issue

if api_key is not necessary in the endpoint you can go for

from fastapi import Security
from fastapi.security.api_key import APIKeyHeader

API_KEY = "1234567asdfgh"
API_KEY_NAME = "X-API-KEY"

api_key_header_auth = APIKeyHeader(name=API_KEY_NAME, auto_error=True)

async def get_api_key(api_key_header: str = Security(api_key_header_auth)):
    if api_key_header != API_KEY:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid API Key",
        )

@router.get('/health', dependencies=[Security(get_api_key)])
async def endpoint():

Is this available to take up?

@bendog thanks for the example, but how would I apply this globally across the entire application? I'm playing around with middleware but I'm getting nowhere. This example would require me to add Depends(...) on all routes individually, which will eventually lead to someone messing up and forgetting it, leaving potentially sensitive routes exposed to the entire world

You could easily apply it to the whole application?

Here's an example from my own API:

    app.include_router(
        api,
        prefix='/api',
        dependencies=[Security(get_current_user, scopes=['openid'])],
    )

Global dependency with APIKeyHeader does not work

api_key_header = APIKeyHeader(name=API_KEY_NAME)

async def get_api_key(api_key_header: str = Security(api_key_header)):
    if api_key_header != API_KEY:
        raise HTTPException(
            status_code=HTTP_403_FORBIDDEN, detail="Could not validate credentials"
        )
    return api_key_header


app = FastAPI(dependencies=[Depends(get_api_key)])

https://fastapi.tiangolo.com/tutorial/dependencies/global-dependencies/

Even if I change it to use Header it still does not work.

async def get_api_key(api_key_header: str = Header(...)):
    if api_key_header != API_KEY:
        raise HTTPException(
            status_code=HTTP_403_FORBIDDEN, detail="Could not validate credentials"
        )
    return api_key_header


app = FastAPI(dependencies=[Depends(get_api_key)])

Global dependency with APIKeyHeader does not work

api_key_header = APIKeyHeader(name=API_KEY_NAME)

async def get_api_key(api_key_header: str = Security(api_key_header)):
    if api_key_header != API_KEY:
        raise HTTPException(
            status_code=HTTP_403_FORBIDDEN, detail="Could not validate credentials"
        )
    return api_key_header


app = FastAPI(dependencies=[Depends(get_api_key)])

https://fastapi.tiangolo.com/tutorial/dependencies/global-dependencies/

Even if I change it to use Header it still does not work.

async def get_api_key(api_key_header: str = Header(...)):
    if api_key_header != API_KEY:
        raise HTTPException(
            status_code=HTTP_403_FORBIDDEN, detail="Could not validate credentials"
        )
    return api_key_header


app = FastAPI(dependencies=[Depends(get_api_key)])

Not sure if this will solve your problem, or whether you figured it out, but for anyone else experiencing this issue:
Nginx was stripping any headers with underscores.
I changed my API_KEY_NAME="access_token" to "API_KEY_NAME="access-token"" and it fixed my issue.

Alternatively, setting underscores_in_headers on; in your nginx.conf file should also work (I did not test this approach).

Does anyone know who has the answers to Netcade python essentials part 2 for modules test/quizzes one to four