<div class="section" id="api">
<h1>API<a class="headerlink" href="#api" title="Permalink to this heading"></a></h1>
<div class="section" id="api-authentication">
<h2>API Authentication<a class="headerlink" href="#api-authentication" title="Permalink to this heading"></a></h2>
<p>Authentication for the API is handled separately to the Web Authentication. The default is to
check the user session:</p>
<div class="highlight-ini notranslate"><div class="highlight"><pre><span></span><span class="k">[api]</span>
<span class="na">auth_backends</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">airflow.api.auth.backend.session</span>
<div class="versionchanged">
<p><span class="versionmodified changed">Changed in version 1.10.11: </span>In Airflow &lt;1.10.11, the default setting was to allow all API requests without authentication, but this
posed security risks for if the Webserver is publicly accessible.</p>
<div class="versionchanged">
<p><span class="versionmodified changed">Changed in version 2.3.0: </span>In Airflow &lt;2.3.0 this setting was <code class="docutils literal notranslate"><span class="pre">auth_backend</span></code> and allowed only one
value. In 2.3.0 it was changed to support multiple backends that are tried
in turn.</p>
<p>If you want to check which authentication backends are currently set, you can use <code class="docutils literal notranslate"><span class="pre">airflow</span> <span class="pre">config</span> <span class="pre">get-value</span> <span class="pre">api</span> <span class="pre">auth_backends</span></code>
command as in the example below.</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="gp">$ </span>airflow<span class="w"> </span>config<span class="w"> </span>get-value<span class="w"> </span>api<span class="w"> </span>auth_backends
<span class="go">airflow.api.auth.backend.basic_auth</span>
<div class="section" id="disable-authentication">
<h3>Disable authentication<a class="headerlink" href="#disable-authentication" title="Permalink to this heading"></a></h3>
<p>If you wish to have the experimental API work, and aware of the risks of enabling this without authentication
(or if you have your own authentication layer in front of Airflow) you can set the following in <code class="docutils literal notranslate"><span class="pre">airflow.cfg</span></code>:</p>
<div class="highlight-ini notranslate"><div class="highlight"><pre><span></span><span class="k">[api]</span>
<span class="na">auth_backends</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">airflow.api.auth.backend.default</span>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>You can only disable authentication for experimental API, not the stable REST API.</p>
<p>See <a class="reference internal" href="../administration-and-deployment/modules_management.html"><span class="doc">Modules Management</span></a> for details on how Python and Airflow manage modules.</p>
<div class="section" id="kerberos-authentication">
<h3>Kerberos authentication<a class="headerlink" href="#kerberos-authentication" title="Permalink to this heading"></a></h3>
<p>Kerberos authentication is currently supported for the API.</p>
<p>To enable Kerberos authentication, set the following in the configuration:</p>
<div class="highlight-ini notranslate"><div class="highlight"><pre><span></span><span class="k">[api]</span>
<span class="na">auth_backends</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">airflow.api.auth.backend.kerberos_auth</span>
<span class="k">[kerberos]</span>
<span class="na">keytab</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&lt;KEYTAB&gt;</span>
<p>The Kerberos service is configured as <code class="docutils literal notranslate"><span class="pre">airflow/fully.qualified.domainname&#64;REALM</span></code>. Make sure this
principal exists in the keytab file.</p>
<p>You have to make sure to name your users with the kerberos full username/realm in order to make it
works. This means that your user name should be <code class="docutils literal notranslate"><span class="pre">user_name&#64;KERBEROS-REALM</span></code>.</p>
<div class="section" id="basic-authentication">
<h3>Basic authentication<a class="headerlink" href="#basic-authentication" title="Permalink to this heading"></a></h3>
<p><a class="reference external" href="">Basic username password authentication</a> is currently
supported for the API. This works for users created through LDAP login or
within Airflow Metadata DB using password.</p>
<p>To enable basic authentication, set the following in the configuration:</p>
<div class="highlight-ini notranslate"><div class="highlight"><pre><span></span><span class="k">[api]</span>
<span class="na">auth_backends</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">airflow.api.auth.backend.basic_auth</span>
<p>Username and password needs to be base64 encoded and send through the
<code class="docutils literal notranslate"><span class="pre">Authorization</span></code> HTTP header in the following format:</p>
<div class="highlight-text notranslate"><div class="highlight"><pre><span></span>Authorization: Basic Base64(username:password)
<p>Here is a sample curl command you can use to validate the setup:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="nv">ENDPOINT_URL</span><span class="o">=</span><span class="s2">&quot;http://localhost:8080/&quot;</span>
curl<span class="w"> </span>-X<span class="w"> </span>GET<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--user<span class="w"> </span><span class="s2">&quot;username:password&quot;</span><span class="w"> </span><span class="se">\</span>
<span class="w"> </span><span class="s2">&quot;</span><span class="si">${</span><span class="nv">ENDPOINT_URL</span><span class="si">}</span><span class="s2">/api/v1/pools&quot;</span>
<p>Note, you can still enable this setting to allow API access through username
password credential even though Airflow webserver might be using another
authentication method. Under this setup, only users created through LDAP or
<code class="docutils literal notranslate"><span class="pre">airflow</span> <span class="pre">users</span> <span class="pre">create</span></code> command will be able to pass the API authentication.</p>
<div class="section" id="roll-your-own-api-authentication">
<h3>Roll your own API authentication<a class="headerlink" href="#roll-your-own-api-authentication" title="Permalink to this heading"></a></h3>
<p>Each auth backend is defined as a new Python module. It must have 2 defined methods:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">init_app(app:</span> <span class="pre">Flask)</span></code> - function invoked when creating a flask application, which allows you to add a new view.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">requires_authentication(fn:</span> <span class="pre">Callable)</span></code> - a decorator that allows arbitrary code execution before and after or instead of a view function.</p></li>
<p>and may have one of the following to support API client authorizations used by <a class="reference internal" href="../howto/usage-cli.html#cli-remote"><span class="std std-ref">remote mode for CLI</span></a>:</p>
<ul class="simple">
<li><p>function <code class="docutils literal notranslate"><span class="pre">create_client_session()</span> <span class="pre">-&gt;</span> <span class="pre">requests.Session</span></code></p></li>
<li><p>attribute <code class="docutils literal notranslate"><span class="pre">CLIENT_AUTH:</span> <span class="pre">tuple[str,</span> <span class="pre">str]</span> <span class="pre">|</span> <span class="pre">requests.auth.AuthBase</span> <span class="pre">|</span> <span class="pre">None</span></code></p></li>
<p>After writing your backend module, provide the fully qualified module name in the <code class="docutils literal notranslate"><span class="pre">auth_backends</span></code> key in the <code class="docutils literal notranslate"><span class="pre">[api]</span></code>
section of <code class="docutils literal notranslate"><span class="pre">airflow.cfg</span></code>.</p>
<p>Additional options to your auth backend can be configured in <code class="docutils literal notranslate"><span class="pre">airflow.cfg</span></code>, as a new option.</p>
<div class="section" id="enabling-cors">
<h2>Enabling CORS<a class="headerlink" href="#enabling-cors" title="Permalink to this heading"></a></h2>
<p><a class="reference external" href="">Cross-origin resource sharing (CORS)</a>
is a browser security feature that restricts HTTP requests that are initiated
from scripts running in the browser.</p>
<p><code class="docutils literal notranslate"><span class="pre">Access-Control-Allow-Headers</span></code>, <code class="docutils literal notranslate"><span class="pre">Access-Control-Allow-Methods</span></code>, and
<code class="docutils literal notranslate"><span class="pre">Access-Control-Allow-Origin</span></code> headers can be added by setting values for
<code class="docutils literal notranslate"><span class="pre">access_control_allow_headers</span></code>, <code class="docutils literal notranslate"><span class="pre">access_control_allow_methods</span></code>, and
<code class="docutils literal notranslate"><span class="pre">access_control_allow_origins</span></code> options in the <code class="docutils literal notranslate"><span class="pre">[api]</span></code> section of the
<code class="docutils literal notranslate"><span class="pre">airflow.cfg</span></code> file.</p>
<div class="highlight-ini notranslate"><div class="highlight"><pre><span></span><span class="k">[api]</span>
<span class="na">access_control_allow_headers</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">origin, content-type, accept</span>
<span class="na">access_control_allow_methods</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">POST, GET, OPTIONS, DELETE</span>
<span class="na">access_control_allow_origins</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s"></span>
<div class="section" id="page-size-limit">
<h2>Page size limit<a class="headerlink" href="#page-size-limit" title="Permalink to this heading"></a></h2>
<p>To protect against requests that may lead to application instability, the stable API has a limit of items in response.
The default is 100 items, but you can change it using <code class="docutils literal notranslate"><span class="pre">maximum_page_limit</span></code> option in <code class="docutils literal notranslate"><span class="pre">[api]</span></code>
section in the <code class="docutils literal notranslate"><span class="pre">airflow.cfg</span></code> file.</p>
