Feature: Add API Key Authentication Scoped by User and Tenant #21
Labels
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
psycodepath/hrp#21
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Motivation
To secure the REST API for programmatic access, we need a way for clients to authenticate using an API Key scoped to a specific user and tenant, rather than relying on session cookies.
Description
Implement database changes to store API keys (hashed), along with a middleware or resolver that authenticates requests containing an
X-API-Keyheader, validating it against the specific tenant context and resolving the associated user.User Story
As a developer building a mobile app or home automation script, I want to authenticate my REST API requests using an API Key so that I can query and modify my planner securely without session cookies.
Gherkin Feature
Acceptance Criteria
id,user_id,tenant_id,key_hash,name,created_at).X-API-Keyheader verification.