DRF Simple API Key

Authentication

Using the APIKeyAuthentication backend for API key authentication

Authentication is used here to identify an entity and make it easy to verify authorization and permissions on each request. By default, we provide an authentication backend that checks for the API Key format and ensures that an entity with this API key exists. Django REST Framework comes with authentication backends that set the request.user. With the APIKeyAuthentication class, you can find the entity of the Api Key at request.user too.

Working with request.user which might not necessarily be an User might be a little bit counter-intuitive, but we are looking for solutions to have something such as request.entity without having to disrupt the Django REST Framework authentication and authorization flow. If you have some ideas, feel free to open an issue https://github.com/koladev32/drf-simple-apikey/issues.

Use the APIKeyAuthentication backend

In your view, you can add the APIKeyAuthentication class to the authentication_classes attribute.

class YourViewSet(viewsets.ViewSet):
    http_method_names = ["get"]
    authentication_classes = (APIKeyAuthentication, )
...

By default, we check the authorization header for a value with a similar format 👉 Api-Key API_KEY_VALUE.

The Api-Key is by default AUTHENTICATION_KEYWORD_HEADER which you can modify in the settings.py file of your Django project.

DRF_API_KEY = {
    ...
    "AUTHENTICATION_KEYWORD_HEADER": "YOUR_CUSTOM_VALUE",
}

Security Features

The authentication backend includes several security features to protect your API:

  • Timing attack protection: We use constant-time comparisons to prevent attackers from learning about valid API keys by measuring response times.

  • HTTPS enforcement: By default, we reject API key authentication over unencrypted HTTP connections in production.

  • IP address validation: When using IP whitelisting or blacklisting, we safely extract and validate IP addresses, even when behind proxies.

For more details about these security features and how they work, see the Security documentation.

Feel free to read the code of the authentication class at https://github.com/koladev32/drf-simple-apikey/blob/main/drf-simple-apikey/backends.py.

Settings

Configuration options for Django REST Framework Simple API Key

Permissions

Using permission classes for API key authorization

On this page

Use the APIKeyAuthentication backendSecurity Features