services/security.py

# services/security.py
from fastapi import Security, HTTPException, status
from fastapi.security import APIKeyHeader
import config

API_KEY_NAME = "X-API-Key"
api_key_header = APIKeyHeader(name=API_KEY_NAME, auto_error=True)

async def get_api_key(api_key: str = Security(api_key_header)):
    """Dependency to validate API Key."""
    if config.ALLOWED_API_KEYS and api_key not in config.ALLOWED_API_KEYS:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Invalid or missing API Key"
        )
    # If ALLOWED_API_KEYS is empty, allow all requests (useful for local dev or internal use)
    # Consider adding a specific flag for this behaviour if needed for clarity
    return api_key