Instead a simple decorator is used which combines authentication against OAuth with authorization against a capability model. See the clean Flask decorations in the example code.
- Failure to authenticate (e.g. secret key is wrong) results in a 401 with an appropriate WWW-Authenticate header.
- Failure to authorize (e.g. capabilities for given key are insufficient to access resource) results in a 403.