In Wagtail, I want to expose the API but only to internal/authorized services

Question

I followed the Wagtail instructions to set up the API v2 in my Wagtail CMS. The CMS will be used in headed mode, but I still want to enable the API so that another service can query for the raw information directly. However, I don't want to enable the API to just be publicly accessible, since that would allow malicious actors to completely scrap the contents of my website. How could I add authentication to the API url paths, so that only certain services can access it (probably by sharing a secret)?

I've seen that, on a view, I could add something like @login_required, but 1) I'm not sure if I really want other services to be logged in, I just need them to be identified with some secret value and 2) ideally I'd do this at the url rather than the view level, which could change with updates.

Even so, I tried extending the PagesAPIViewSet to have a CustomAPIViewSet(PagesAPIViewSet) that included the @login_required tag, but I wasn't able to make that work either (it complained about the get_urlpatterns, for which I could find no workaround trying to extend the method of the BaseAPIViewSet)

Answer 1

This is how we added TokenAuthentication to our custom page API which inherits from Wagtail's PagesAPIViewSet

class NewsPagesAPIViewSet(PagesAPIViewSet):
    name = 'news'
    model = NewsPage
    renderer_classes = [JSONRenderer]
    # Require callers to be logged in, or provide the 'Authorization: Api-Key <key>' HTTP header with a valid key.
    authentication_classes = [TokenAuthentication]
    permission_classes = [IsAuthenticated]