Skip to content

Configuration.api_key* are not really used #10

New issue
New issue
Open
Open
Configuration.api_key* are not really used#10
@josegomezr

Description

@josegomezr
josegomezr
opened on Oct 30, 2025

I got tempted to pass api_key = 'my-super-duper-secret-key' to the Configuration object, as one has an API key at hand, and all I got was a 403 Error (t-shirt material right there).

import os
import sys
import authentik_client


def main():
    host = os.environ.get("AUTHENTIK_HOST") # I passed here a URL ending in "/api/v3" even though is called "host", see #9 
    token = os.environ.get("AUTHENTIK_TOKEN")
    if not token:
        print("AUTHENTIK_TOKEN unset")
        sys.exit(1)

    if not host:
        print("AUTHENTIK_URL unset")
        sys.exit(1)

    configuration = authentik_client.Configuration(
        host=host,
        api_key=token
    )

    with authentik_client.ApiClient(configuration) as api_client:
        # Create an instance of the API class
        api_instance = authentik_client.AdminApi(api_client)
        try:
            api_response = api_instance.admin_apps_list()
            print("The response of AdminApi->admin_apps_list:\n")
            print(api_response)
        except authentik_client.ApiException as e:
            print("Exception when calling AdminApi->admin_apps_list: %s\n" % e)


if __name__ == "__main__":
    main()

When invoking it I got:

python move-okta-app-to-authentik.py 
Exception when calling AdminApi->admin_apps_list: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'date': 'Thu, 30 Oct 2025 20:47:20 GMT', 'content-type': 'application/json; charset=utf-8', 'content-length': '58', 'allow': 'GET, HEAD, OPTIONS', 'referrer-policy': 'same-origin', 'vary': 'Accept-Encoding, Cookie', 'x-authentik-id': 'af8d40bf08934e5cb8e602be325694f6', 'x-content-type-options': 'nosniff', 'x-frame-options': 'DENY', 'x-powered-by': 'authentik', 'strict-transport-security': 'max-age=31536000; includeSubDomains'})
HTTP response body: detail='Authentication credentials were not provided.' code=None

In fairness the example in the REAMDE.md points out the usage of access_token, however it doesn't really align with the nomenclature.

# Configure Bearer authorization: authentik
configuration = authentik_client.Configuration(
    access_token = os.environ["BEARER_TOKEN"]
)

But your API Credential to interact with the server is a "Bootstrap token", and for users you can create "Token"'s, (notice the lack of "Access").

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions