How to add production-grade security/authentication to my REST API?

Question

So I have a basic Flask CRUD API fully built. By that, I mean the routes, responses, and error handling.So now I want to make it public and assign keys and tokens to developers just like how most APIs do. When I sign up for say Twilio or Plaid or any modern developer platform, I am assigned a public key, secret key, and token and I get a dashboard for this.How do I add these things to my own API? What am I supposed to read up on or is this done through a third-party provider? What are the libraries and packages I should be looking into? Are there any tutorials for such things? What about things like usage control and rate-limiting?

codegeek · Accepted Answer

You could use an Oauth2 server to generate the entire flow including keys/tokens etc. There are self hosted options like ory.sh or you can get a premium provider like Okta/AUth0 etc.If you want something simpler, you can just create your own API token for each user but then you will have to build things like regenerate, refresh, expire etc etc. Protocols like OAuth2 make all this standard but adds complexity.

matt_s · Answer

How secure do you want it to be? Also - what are the chances your users will leave API keys in their source code repo or pass them around to other devs on their team?
A lot of the reasoning around API security depends on who your users are and what type of protection you want, or need contractually, around the data behind your API.
There are likely going to be OAuth libraries you could use, everything should be behind HTTPS.

theandrewbailey · Answer

Keys and tokens sound like OAuth. You will need to understand the roles that each party plays in OAuth (are you the application or the identity provider?), and configure/use Flask appropriately. I'm not that familiar with Flask, but a cursory search says that it supports some of OAuth.Or you might say 'screw it', and use HTTP Basic auth with HTTPS.