1. Timothy Corbett-Clark
  2. rest-api-blueprint


Clone wiki

rest-api-blueprint / Capabilities

Taking a que from http://flask.pocoo.org/snippets/98, I choose not to leverage a large library like Flask-Principal for now.

Instead a simple decorator is used which combines authentication against OAuth with authorization against a capability model. See the clean Flask decorations in the example code.


  • Failure to authenticate (e.g. secret key is wrong) results in a 401 with an appropriate WWW-Authenticate header.
  • Failure to authorize (e.g. capabilities for given key are insufficient to access resource) results in a 403.