Access key based authentication in DRF (Django REST Framework)

If you start developing a REST API, one of the fundamental requirements you will need to implement an authentication system. Which prevents any anonymous  user to expose your REST endpoint.

For developing REST API, I used to start from scratch by using Django/Flask, then I used Piston . And when the further development of Piston stopped, I started using Tastypie. Last year I was reading documentation of DRF and I realised, my next REST API I will develop on top of DRF. And since then I am using it. The documentation  is organised and it has a growing community around it.

So back to the point, in DRF you can have an access key based authentication system quickly without coding much configuration and code.

While authenticating an user via access key, the core idea is, we need to check whether there is any user exists with the provided access_key or not. And to return data or raising exception.

At the beginning, add a new file in your django app called ““. To write custom authentication in DRF,  “BaseAuthentication” and then we need to override “authenticate” method. authenticate takes to django request object from which we will get the access key like request.get(“access_key”, None). The whole sub-class look like below:

from rest_framework import authentication
from rest_framework import exceptions
from apps.newspaper.models import Subscriber
class AccessKeyAuthentication(authentication.BaseAuthentication):
def authenticate(self, request):
access_key = request.GET.get("access_key", None)
if not access_key:
raise exceptions.NotFound("Access key not provided.")
user = Subscriber.objects.get(access_key=access_key)
except Subscriber.DoesNotExist:
raise exceptions.PermissionDenied("No User found with the access key")
except ValueError:
raise exceptions.ValidationError("Badly formed hexadecimal UUID string")
return (user, None)

view raw
hosted with ❤ by GitHub

And next step is to add it to our REST_FRAMEWORK settings in project settings (, like below:


To use it, we need to import it and apply it as a decorator like below:

from apps.newspaper.authentication import AccessKeyAuthentication
@authentication_classes((AccessKeyAuthentication, ))
def list_news(request):
   # your code goes here

And then call the endpoint like: /news?access_key=”ACCESS_KEY”. And it will return our REST output.

In this tutorial, in Subscriber model I have a field called which is “access_key”, you can use any other models/field for authentication checking.

This is the preferred way I mostly apply  authentication in DRF based REST API and then as the API grows I used to add more sophisticated authentication for the API. DRF also comes with token based authentication which is described in the docs briefly.

Further reading:
DRF Authentication Documentation



  1. miwtony · November 20, 2016

    where is the code?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.