Feature: Add API Key Authentication Scoped by User and Tenant #21

Closed
opened 2026-07-04 21:54:33 +00:00 by psycodepath · 0 comments
Owner

Motivation

To secure the REST API for programmatic access, we need a way for clients to authenticate using an API Key scoped to a specific user and tenant, rather than relying on session cookies.

Description

Implement database changes to store API keys (hashed), along with a middleware or resolver that authenticates requests containing an X-API-Key header, validating it against the specific tenant context and resolving the associated user.

User Story

As a developer building a mobile app or home automation script, I want to authenticate my REST API requests using an API Key so that I can query and modify my planner securely without session cookies.

Gherkin Feature

Feature: API Key Authentication
  As an API client
  I want to pass an X-API-Key header
  So that I can authenticate requests for a user under a specific tenant

Acceptance Criteria

  • Database schema updated to store api keys (hashed, containing id, user_id, tenant_id, key_hash, name, created_at).
  • Authentication service adapter or middleware supporting X-API-Key header verification.
  • Scoped validation ensuring the key is only valid for the specific tenant URL it is requested on.
  • Unit and integration tests verifying successful authentication and rejection of invalid/wrongly scoped keys.
### Motivation To secure the REST API for programmatic access, we need a way for clients to authenticate using an API Key scoped to a specific user and tenant, rather than relying on session cookies. ### Description Implement database changes to store API keys (hashed), along with a middleware or resolver that authenticates requests containing an `X-API-Key` header, validating it against the specific tenant context and resolving the associated user. ### User Story As a developer building a mobile app or home automation script, I want to authenticate my REST API requests using an API Key so that I can query and modify my planner securely without session cookies. ### Gherkin Feature ```gherkin Feature: API Key Authentication As an API client I want to pass an X-API-Key header So that I can authenticate requests for a user under a specific tenant ``` ### Acceptance Criteria - [ ] Database schema updated to store api keys (hashed, containing `id`, `user_id`, `tenant_id`, `key_hash`, `name`, `created_at`). - [ ] Authentication service adapter or middleware supporting `X-API-Key` header verification. - [ ] Scoped validation ensuring the key is only valid for the specific tenant URL it is requested on. - [ ] Unit and integration tests verifying successful authentication and rejection of invalid/wrongly scoped keys.
Sign in to join this conversation.
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
psycodepath/hrp#21
No description provided.