Clone wiki

rest-api-blueprint / Capabilities

Taking a que from, I choose not to leverage a large library like Flask-Principal for now.

Instead a simple decorator is used which combines authentication against OAuth with authorization against a capability model. See the clean Flask decorations in the example code.


  • Failure to authenticate (e.g. secret key is wrong) results in a 401 with an appropriate WWW-Authenticate header.
  • Failure to authorize (e.g. capabilities for given key are insufficient to access resource) results in a 403.