Question about API tokens and authentication

Hi! I’m working on a Django project. The application consists on an API that’s going to lend students an html view to practice their pronunciation. It’s going to be served to pages, where each one has its own students. When a student wants to access the HTML view, he isn’t going to log in our application with the usual username/password protocol, instead, the user authentication is going to be handled with magic links (see the library django-sesame, it’s awesome!). This is done because the users are already logged in their respective page, it would be a hindrance if they have to log in again. Then, each web page would make a request to one of our endpoints to generate a link of the user they want at the moment they would like to sign in.
My problem or question is, what’s the best way to authenticate the web pages (not the users)? As I’m seeing the problem, the following points have to be accomplished:

  • Not using sessions: There’s no need to maintain a session, I only have to get a link.
  • Use API keys for each page.
  • Have an authentication system: I don’t want a page being able to access other page’s users.

But API keys don’t authenticate! They only manage authorization.

The way I was thinking it was giving each page an API key from which they would access an API endpoint. From there, they would access a ‘Pages’ table in the database, which contains a field api_key. If it matches, then they could access the users from the User table.

This approach sounds crazy! But I couldn’t see another way. What would you recommend?

I ended up using Django rest framework api key module for managing the pages api keys, and then django-sesame for creating magic links for the users to authenticate