
Ask HN: How to add production-grade security/authentication to my REST API? - chirau
So I have a basic Flask CRUD API fully built. By that, I mean the routes, responses, and error handling.<p>So now I want to make it public and assign keys and tokens to developers just like how most APIs do. When I sign up for say Twilio or Plaid or any modern developer platform, I am assigned a public key, secret key, and token and I get a dashboard for this.<p>How do I add these things to my own API? What am I supposed to read up on or is this done through a third-party provider? What are the libraries and packages I should be looking into? Are there any tutorials for such things? What about things like usage control and rate-limiting?
======
codegeek
You could use an Oauth2 server to generate the entire flow including
keys/tokens etc. There are self hosted options like ory.sh or you can get a
premium provider like Okta/AUth0 etc.

If you want something simpler, you can just create your own API token for each
user but then you will have to build things like regenerate, refresh, expire
etc etc. Protocols like OAuth2 make all this standard but adds complexity.

------
matt_s
How secure do you want it to be? Also - what are the chances your users will
leave API keys in their source code repo or pass them around to other devs on
their team?

A lot of the reasoning around API security depends on who your users are and
what type of protection you want, or need contractually, around the data
behind your API.

There are likely going to be OAuth libraries you could use, everything should
be behind HTTPS.

------
theandrewbailey
Keys and tokens sound like OAuth. You will need to understand the roles that
each party plays in OAuth (are you the application or the identity provider?),
and configure/use Flask appropriately. I'm not that familiar with Flask, but a
cursory search says that it supports some of OAuth.

Or you might say 'screw it', and use HTTP Basic auth with HTTPS.

