Authentication¶
FenLiu uses API key authentication via the X-API-Key header.
API Key Header¶
All protected endpoints require:
X-API-Key: your-api-key
Current Implementation¶
Unprotected Endpoints¶
GET /health- Health checkGET /info- Application info
Protected Endpoints¶
All other endpoints require valid API key:
- /api/v1/hashtags/* - Stream operations
- /api/v1/posts/* - Post operations
- /api/v1/curated/* - Queue export
- /api/v1/reblog-controls/* - Export filters
- /api/v1/stats - Statistics
Usage Examples¶
cURL¶
curl -H "X-API-Key: your-api-key" \
http://localhost:8000/api/v1/posts
Python (httpx)¶
import httpx
headers = {"X-API-Key": "your-api-key"}
async with httpx.AsyncClient() as client:
response = await client.get(
"http://localhost:8000/api/v1/posts",
headers=headers
)
Python (requests)¶
import requests
headers = {"X-API-Key": "your-api-key"}
response = requests.get(
"http://localhost:8000/api/v1/posts",
headers=headers
)
JavaScript (fetch)¶
const response = await fetch(
"http://localhost:8000/api/v1/posts",
{
headers: { "X-API-Key": "your-api-key" }
}
);
Error Responses¶
Missing API Key¶
401 Unauthorized
{"detail": "Missing X-API-Key header"}
Invalid API Key¶
401 Unauthorized
{"detail": "Invalid API key"}
Current Limitations¶
- Single shared API key (development setup)
- No key expiration
- No per-key rate limiting
- No key rotation mechanism
- No per-user isolation
Setting Up API Keys¶
API keys are currently managed manually in development. Generate a test key:
python -c "import secrets; print(secrets.token_urlsafe(32))"
Use the generated key in the X-API-Key header.
Web Interface¶
The web interface (dashboard, review pages, etc.) does not require API key authentication. Control access via:
- Network-level firewall rules
- Reverse proxy with basic auth
- VPN/SSH tunnel
Next Steps¶
- Curated Queue API - Queue endpoints
- API Overview - All API endpoints
- System Design - Architecture