API Security - Authentication and Authorization

[geoff-maddock]

Story As the maintainer of the API, I would like to require users of the API to authenticate and be authorized to use API endpoints. This is for security purposes as well as load and logging of actions.

Possible Solution

• Basic auth with manually created set of usernames and passwords as MVP
• Use specific user accounts that have been granted API permission as enhancement
• Add API specific permissions to more granularly limit what endpoints are authorized
• Add an API-KEY generation for users to more easily track specific API access

[geoff-maddock]

Start thinking about this for the API - how will I identify the user who is making the requests?

[geoff-maddock]

Update: I'm using Basic Auth, and also have the option to use "Shield" users that are not in the database.