qfa.auth#

Authentication utilities for API key validation.

Functions

validate_api_key(provided_key, api_keys)

Validate a provided API key against the loaded keys.

qfa.auth.validate_api_key(provided_key: str, api_keys: list[TenantApiKey]) → TenantApiKey[source]#

Validate a provided API key against the loaded keys.

Uses secrets.compare_digest for constant-time comparison. Compares against all keys to avoid timing attacks.

Parameters:

provided_key (str) – The API key value supplied by the caller.
api_keys (list[TenantApiKey]) – The loaded set of valid API keys.

Returns:

The matching tenant API key.

Return type:

Raises:

AuthenticationError – If no loaded key matches provided_key.