Expand description
Admin endpoint authentication.
Reads the expected token from the ADMIN_TOKEN environment variable at
startup. If the variable is unset or empty, all admin endpoints refuse
every request — they are effectively disabled. This is the secure default:
you must explicitly opt in by setting ADMIN_TOKEN to a non-empty value.
Clients authenticate by sending X-Admin-Token: <value>. The comparison
is constant-time to avoid leaking the token via timing side channels.
Functions§
- require_
admin - Verify the request carries a valid admin token.