Secure /predict with Bearer API key auth

server.py

@@ -1,11 +1,16 @@
 from __future__ import annotations
 
-from fastapi import FastAPI
+import os
+
+from fastapi import Depends, FastAPI, HTTPException, Security
 from fastapi.middleware.cors import CORSMiddleware
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
 from pydantic import BaseModel
 
 from inference.predict import predict
 
+API_KEY = os.environ.get("API_KEY", "")
+
 app = FastAPI(title="M2Predict API")
 
 app.add_middleware(
@@ -15,6 +20,18 @@ app.add_middleware(
     allow_headers=["*"],
 )
 
+security = HTTPBearer()
+
+
+def verify_api_key(
+    credentials: HTTPAuthorizationCredentials = Security(security),
+) -> str:
+    if not API_KEY:
+        raise HTTPException(status_code=500, detail="API_KEY not configured")
+    if credentials.credentials != API_KEY:
+        raise HTTPException(status_code=403, detail="Invalid API key")
+    return credentials.credentials
+
 
 class PredictRequest(BaseModel):
     code_postal: str
@@ -24,6 +41,10 @@ class PredictRequest(BaseModel):
 
 
 @app.post("/predict")
-def predict_endpoint(req: PredictRequest, model_version: str = "v1_rf_te"):
+def predict_endpoint(
+    req: PredictRequest,
+    model_version: str = "v1_rf_te",
+    _key: str = Depends(verify_api_key),
+):
     result = predict(req.model_dump(), model_version=model_version)
     return result