Summary
Implement simple API key authentication as a lightweight alternative to full JWT/OAuth2 for simpler deployments.
Background
While JWT with RBAC provides comprehensive security, some deployments need simpler authentication:
- Internal/isolated networks
- Development and testing environments
- Single-user scenarios
- Quick prototyping
- Machine-to-machine communication
Proposed Solution
1. Configuration
ros2_medkit_gateway:
ros__parameters:
auth:
# Simple API key mode (alternative to JWT)
api_keys:
enabled: false
keys:
- key: "your-secret-api-key-here"
name: "developer-1"
role: "admin"
- key: "readonly-key"
name: "monitoring-system"
role: "viewer"
# Where to look for API key
header_name: "X-API-Key"
query_param_name: "api_key" # Optional, less secure2. Usage
Clients include the API key in requests:
# Via header (preferred)
curl -H "X-API-Key: your-secret-api-key-here" http://localhost:8080/api/v1/areas
# Via query parameter (less secure, for debugging only)
curl "http://localhost:8080/api/v1/areas?api_key=your-key"
3. API Key Management
- Keys should be generated securely (minimum 32 characters, cryptographically random)
- Support key rotation without restart
- Log key usage for auditing
Implementation Tasks
Acceptance Criteria
Security Recommendations
Document these best practices:
- Never commit API keys to version control
- Use environment variables or secure vaults for key storage
- Prefer header-based authentication over query parameters
- Rotate keys periodically
- Use different keys per client/service for auditability
Summary
Implement simple API key authentication as a lightweight alternative to full JWT/OAuth2 for simpler deployments.
Background
While JWT with RBAC provides comprehensive security, some deployments need simpler authentication:
Proposed Solution
1. Configuration
2. Usage
Clients include the API key in requests:
3. API Key Management
Implementation Tasks
Acceptance Criteria
Security Recommendations
Document these best practices: