Skip to content

Latest commit

 

History

History
91 lines (62 loc) · 3.75 KB

File metadata and controls

91 lines (62 loc) · 3.75 KB

Authentication

The Summarization API uses API Key authentication to control access. There are two ways to provide an API key:

  1. Environment Variables (.env) – The API owner can set OPENAI_API_KEY and DEEPSEEK_API_KEY to allow authorized access without requiring clients to provide API keys. However this only works if the origin is a value in ALLOWED_ORIGINS.
  2. Request Headers – Clients can include an API key in the Authorization header for each request.

When there is both a .env key and a request header key, the request header key will be used.


1. API Key Authentication (Recommended)

Providing API Key in Request Headers

Clients can send their API key dynamically in the Authorization header:

Example Request:

curl -X POST http://localhost:3000/summarize/text \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "content": { "text": "This is a test." }, "options": {} }'

Request Header Format:

Authorization: Bearer YOUR_API_KEY

2. Allowed Origin Configuration

The API restricts access to the default keys to specific frontend applications by defining ALLOWED_ORIGINS.
If an origin is not allowed, then the api key must be provided in the request headers.

ALLOWED_ORIGINS=http://localhost:3001,http://localhost:3000
  • If a frontend is listed in ALLOWED_ORIGINS, it does not need to send API keys.
  • If a frontend is not listed in ALLOWED_ORIGINS, it must include API keys in request headers.

3. API Key Validation

The API uses a security guard (ApiKeyGuard) to verify API keys before processing requests.

Validation Rules**

Scenario What Happens? Notes
Valid API Key in Request Header ✅ Request is allowed Does not require origin to be provided in ALLOWED_ORIGINS
Valid API Key in .env but not in request ✅ Request is allowed (uses .env key) Requires origin to be provided in ALLOWED_ORIGINS
Valid API Key in .env and in request ✅ Request is allowed (uses request api key) ✅Even if the origin is provided in ALLOWED_ORIGINS, api key in the request will be used
No API Key provided in request or .env ❌ Request is rejected

4. Example: API Request without API Key (no Authorization Header)

curl -X POST http://localhost:3000/summarize/text \
  -H "Origin: http://localhost:3001" \
  -H "Content-Type: application/json" \
  -d '{ "content": { "text": "This is a test." }, "options": {} }'

This will be valid only if the ALLOWED_ORIGINS contains http://localhost:3001.


Next Steps