Skip to content

M1-3: Implement API Key Authentication

Description

Add authentication middleware checking API_TOKEN environment variable for all tool endpoints.

Acceptance Criteria

  • Read API_TOKEN from environment variable (using existing dotenv)
  • Validate Bearer token in Authorization header
  • Return 401 Unauthorized for invalid/missing tokens
  • No rate limiting required (per requirements)
  • Audit logging of all requests with:
    • Timestamp
    • Tool invoked
    • Parameters (sensitive data redacted)
    • Response time
    • Success/failure status
  • Never log the actual API key value

Authentication Flow

  1. Extract Bearer token from Authorization header
  2. Compare with API_TOKEN environment variable
  3. Allow request if match, reject with 401 if not
  4. Log request details (without token)

Example Request

POST /api/v1/tools/system/overview
Authorization: Bearer {API_TOKEN}
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "method": "get_system_overview",
  "params": {},
  "id": 1
}

Example 401 Response

{
  "error": {
    "code": -32607,
    "message": "Permission denied",
    "data": {
      "reason": "Invalid or missing API token"
    }
  }
}

Local Development

  • Support .env file for local testing: 
    API_TOKEN=local-dev-token-12345
NODE_ENV=development
PORT=8080

Technical Requirements

  • Implement as Effect.Layer for authentication service
  • Apply to all /api/v1/tools/* endpoints
  • Exclude /health endpoint from authentication
  • Use structured logging (JSON format)

Estimated Effort

6 hours