Support API Key Header Validation for Selected FrameX APIs

[touale]

Background

FrameX exposes multiple APIs for different clients and integration scenarios. In some deployments, not all APIs require the same level of access control.
To improve security and flexibility, it is desirable to support API key–based authentication through HTTP headers, while applying this constraint only to selected APIs instead of enforcing it globally.

Problem Statement

Currently:

• FrameX does not provide a built-in mechanism to validate API keys from request headers
• Authentication and authorization logic must be implemented externally
• It is not possible to enforce API key validation on only a subset of APIs

This limitation makes it difficult to:

• Protect sensitive APIs while keeping others public
• Support mixed public and private API usage patterns
• Gradually introduce authentication without breaking existing clients

Proposal

Add support for API key validation based on HTTP request headers, with the ability to enable this validation only for selected APIs or routes.

Expected Behavior

When API key validation is enabled for an API:

• FrameX checks the presence and validity of the API key in the request headers
• Requests with missing or invalid API keys are rejected

When API key validation is not enabled:

• Requests are processed normally
• No additional authentication checks are applied

Benefits

• Improves security for sensitive APIs
• Enables fine-grained access control
• Supports gradual rollout of authentication mechanisms
• Maintains backward compatibility

Additional Notes

• The header name used for API key validation should be configurable
• The validation strategy and enforcement scope should be flexible enough to fit different deployment scenarios

[touale]

Done!