Fastapi: [QUESTION] Authentication for StreamingResponse

In general, you should avoid relying solely on query parameters for authentication as urls may not be well secured (e.g., could show up in link history in a shared browser).

Depending on your security requirements, if you don't want to make use of a front-end trick like the one you linked, you could

1. Create a short-term link with an expiration (this should be possible using pyjwt or itsdangerous) -- the signed claims could be passed as a query or path parameter
2. Optionally, restrict the link to a single (or small number) of uses, if you also control the file sharing.

Separately, I'm not very knowledgeable about browsers, but might it be possible to use a cookie for this use case? If a set cookie can be read from the browser even when just a link is clicked, then you should be able to use your usual token-based auth without a problem -- just pass it via cookie rather than via authorization header.

You could use a shorter-term temporary and/or one-time-use token in the cookie if there are security concerns with using cookies (again, I'm not an expert).

Thank you for your answer.
I will investigate the proposed solutions and see what will work.

As @dmontagu says, a short-lived URL would work. That would be especially useful if you want users to be able to share the link for someone else to download the file with a short expiration.

On the other side, yep, you could set a cookie with the token in the same response with the token in JSON (during login).

Then you would create a dependency that checks for a bearer token OR a cookie.

Assuming the original issue was solved, it will be automatically closed now. But feel free to add more comments or create new issues.