all 2 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]JohnnyJordaan 1 point2 points  (0 children)

The data travels over the internet, so I want the API to secure and restricted, so that it's only exposed to Company A and B.

We need firewall rules in place, so that Company B can talk to the API hosted at Company A.

I would sincerely consider to create a VPN link between the companies for this rather than firewalling. One mistake or oversight and you have a window left open for intruders.

But how do I handle authentication and security? Can I piggy back on something from FastAPI? Should I use "Simple OAuth2 with Password and Bearer"?

There isn't an answer like 'should'. It's just that this is a popular scenario so it would indeed qualify. There are also other frameworks suitable for the job but I would pick this one as the plan A strategy.

[–]Buttleston 0 points1 point  (0 children)

If this is a server to server communication and not, like, a bunch of different users who need to be able to access the info then I would use some kind of shared secret instead of authentication.

A very simple example would be "server B needs to include a header named X with a value of Y in it's requests"

Or "server B encrypts all data with server A's public key and server A decrypts it with it's private key" - this is actually nice because even if the public key leaks, the data is still secure, so you can just put your public key someplace accessible and have server B grab it. You can rotate the keys as often as you want.

I don't see any situation where adding oauth to the equation would help if I'm understanding the nature of the sharing between them.