A library that provides a simple token authorization for Django REST framework.
With a correctly configured pipenv toolchain:
pipenv install drf-simple-access-keyYou may also use classic pip to install the package:
pip install drf-simple-access-keyWe use isort (https://github.com/pycqa/isort) and black (https://github.com/psf/black) for local auto-formatting and for linting in the CI pipeline. The pre-commit framework (https://pre-commit.com) provides GIT hooks for these tools, so they are automatically applied before every commit.
Steps to activate:
- Install the pre-commit framework: pip install pre-commit(for alternative installation options see https://pre-commit.com/#install)
- Activate the framework (from the root directory of the repository): pre-commit install
Hint: You can also run the formatters manually at any time with the following command: pre-commit run --all-files
Default: 'x-authorization'
Name of the HTTP request header used for authorization.
Default: 'bearer'
Name of the HTTP authorization scheme.
Default: []
List of valid authorization keys. Note that any request is allowed if this configuration option is empty!
SIMPLE_ACCESS_KEY_SETTINGS = {
    'HTTP_AUTHORIZATION_HEADER': 'x-authorization',
    'HTTP_AUTHORIZATION_SCHEME': 'bearer',
    'AUTHORIZATION_KEYS': [
        'example-token-1234',
    ],
}
REST_FRAMEWORK = {
    # ...
    'DEFAULT_PERMISSION_CLASSES': [
        'drf_simple_access_key.SimpleAccessKey',
        # ...
    ],
    # ...
}All API endpoints that use the permission class are protected by the simple access key authorization.
GET http://my.tld/api/v1/resource/
x-authorization: bearer example-token-1234
This library provides the simplest possible solution to protect a REST API from unauthorized access. It allows anyone in possession of a valid key to access the endpoints without the possibility of user authentication. This type of authorization is well suited for microservices that users cannot access directly.
In summary this means:
✔️ Use this authorization only if access to the REST API is possible from known and trusted sources only (e.g. an API gateway).
✔️ Use this authorization only if no user authentication is required within the REST API.
❌ Never use this authorization if the REST API is publicly accessible over the Internet.
❌ Never use this authorization if the consumers of the REST API are real users, and not exclusively systems such as an API gateway.
| Django REST framework 3.14 | Django REST framework 3.15 | |
|---|---|---|
| Python 3.9 | ✓ | ✓ | 
| Python 3.10 | ✓ | ✓ | 
| Python 3.11 | ✓ | ✓ | 
| Python 3.12 | ✓ | ✓ | 
| Python 3.13 | ✓ | ✓ | 
See folder tests/. Basically, all endpoints are covered with multiple unit tests.
Follow below instructions to run the tests.
You may exchange the installed Django and DRF versions according to your requirements.
:warning: Depending on your local environment settings you might need to explicitly call python3 instead of python.
# install dependencies
python -m pip install --upgrade pip
pip install -r requirements.txt
# setup environment
pip install -e .
# run tests
cd tests && python manage.py test- Andreas Stocker [email protected]
- Harald Nezbeda [email protected]