Client-level (not user) authentication

[nareto]

I'm using this repo to develop a backend being used by an Android app I'm also developing. The backend is publicly exposed, but I'd like to allow only the Android app to access it. I don't care about hiding the endpoints, just making them throw a 400 error if the request comes from an unauthorized client.

How would you approach this?

I thought of putting some random UUID in the Android source code, and on every request encrypt it with a public key from the backend, which would require this same UUID to be present in every request. How would I do this? I need to do this on top of the existing jwt-base user authentication.

[thomas-chauvet]

Hello,

I think this is an issue for official fastAPI repository here.

In short, I think you should use API key. It will give you a token-based authentication for your app to login to the API.

You can refer to this issue on fastAPI repo. There is no doc yet for API Key in FastAPI even if it can handle it.

You can also check this article to have more detail.