From 9a7b9f88148348c5a8f971040f5874dc42a95433 Mon Sep 17 00:00:00 2001
From: Daisie Huang <daisieh@gmail.com>
Date: Tue, 10 Mar 2026 17:41:04 -0700
Subject: [PATCH] add service-token check for candig-api

---
 htsget_server/authz.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/htsget_server/authz.py b/htsget_server/authz.py
index ea1bcba7..dbb3ef81 100644
--- a/htsget_server/authz.py
+++ b/htsget_server/authz.py
@@ -29,7 +29,7 @@ def has_full_authz(request):
     """
     if is_testing(request):
         return True
-    if request_is_from_ingest(request) or request_is_from_query(request):
+    if request_is_from_ingest(request) or request_is_from_query(request) or request_is_from_candig_api(request):
         return True
     if "Authorization" in request.headers:
         try:
@@ -57,3 +57,8 @@ def request_is_from_ingest(request):
     if "X-Service-Token" in request.headers:
         return authx.auth.verify_service_token(service="candig-ingest", token=request.headers["X-Service-Token"])
     return False
+
+def request_is_from_candig_api(request):
+    if "X-Service-Token" in request.headers:
+        return authx.auth.verify_service_token(service="candig-api", token=request.headers["X-Service-Token"])
+    return False