Background
I'm working on a web service with Python as backend using FastAPI. As far as I know, for the front end user authentication and authorized requests there is JWT. Following the best practices, the token would expired in 15 minutes and refreshed before that.
However, if I want to expose some RESTful API endpoints (e.g. read/write data to my database) for other developers (e.g. Stripe users would call Stripe's API with some keys), I need to create a permanent API key with some configurable permission, like the personal access token for Github. It seems to me that using JWT is not a good option because it's not ideal to set long expiration time or ask external developers to refresh tokens frequently.
I had hard time finding related resources for designing such as system to manage these API keys, even though many companies provide this kind of service.
I would imagine the solution to be having a table in the database that stores the API keys with some permission levels as columns and links with the user table. However, with this method, each call from the external developers/service has to query the database to validate permission, which may hurt the response time compared to JWT. I'd like to know if this makes sense what are the best practices.
Questions
- What is the work flow to generate the API keys for external developers/service to call my API endpoints that need user authentication?
- How to revoke given API keys?
- How to configure/validate API keys for different permissions?
- How to design the table to manage API keys?
Aucun commentaire:
Enregistrer un commentaire