DRF in Depth: Auth, Permissions & Pagination

From intro to production API

The previous lesson built a working API with a serializer and a viewset. Real backend jobs need more: clients must log in to the API, some endpoints must be protected, long lists must be paginated, and the API must be searchable and protected from abuse. This lesson adds each of those, building on the same Post API.

Routers — URLs for free

Writing a URL pattern for every endpoint is tedious. A router looks at a viewset and generates all its URLs automatically (list, detail, create, update, delete). You register the viewset once:

# urls.py
from rest_framework.routers import DefaultRouter
from .views import PostViewSet

router = DefaultRouter()
router.register("posts", PostViewSet)   # generates /posts/ and /posts/<id>/

urlpatterns = router.urls

Authentication — who is calling the API?

A web page uses cookies and sessions, but an API client (a React app, a phone, another server) usually sends a token instead — a long secret string that proves identity on every request. Two common styles:

JWT (JSON Web Token) is the popular choice. The package djangorestframework-simplejwt gives you ready-made endpoints: the client posts a username and password and gets back a token, then sends that token on future requests. Set it up in two steps:

# settings.py
REST_FRAMEWORK = {
    "DEFAULT_AUTHENTICATION_CLASSES": [
        "rest_framework_simplejwt.authentication.JWTAuthentication",
    ],
}

# urls.py
from rest_framework_simplejwt.views import TokenObtainPairView, TokenRefreshView
urlpatterns += [
    path("api/token/", TokenObtainPairView.as_view()),     # log in -> get token
    path("api/token/refresh/", TokenRefreshView.as_view()),# get a fresh token
]

How a client uses JWT, step by step:

1. The client POSTs its username and password to /api/token/.
2. The server checks them and returns an access token (short-lived) and a refresh token.
3. On every protected request the client sends the access token in a header: Authorization: Bearer <token>.
4. DRF decodes the token, identifies the user, and lets the request through.
5. When the access token expires, the client POSTs the refresh token to /api/token/refresh/ to get a new one — no re-login needed.

Permissions — what is each caller allowed to do?

A permission class decides, per request, whether a caller may proceed. DRF ships several; you set them on a view or globally. The most useful: IsAuthenticated (must be logged in) and IsAuthenticatedOrReadOnly (anyone may read, only logged-in users may write):

from rest_framework import viewsets
from rest_framework.permissions import IsAuthenticatedOrReadOnly
from .models import Post
from .serializers import PostSerializer

class PostViewSet(viewsets.ModelViewSet):
    queryset = Post.objects.all()
    serializer_class = PostSerializer
    permission_classes = [IsAuthenticatedOrReadOnly]   # read = public, write = login

Pagination — never dump 10,000 rows

Pagination splits a long list into pages so the API returns, say, 10 items at a time instead of everything at once. Turn it on globally in settings:

# settings.py
REST_FRAMEWORK = {
    "DEFAULT_PAGINATION_CLASS":
        "rest_framework.pagination.PageNumberPagination",
    "PAGE_SIZE": 10,
}

Filtering, search & throttling

Two more job-ready touches. Filtering/search lets clients narrow results with query parameters (?search=django). Throttling limits how many requests a caller can make, protecting the API from abuse:

# views.py — add search to the viewset
from rest_framework import filters

class PostViewSet(viewsets.ModelViewSet):
    queryset = Post.objects.all()
    serializer_class = PostSerializer
    filter_backends = [filters.SearchFilter]
    search_fields = ["title", "body"]      # GET /posts/?search=django

# settings.py — throttle anonymous callers
REST_FRAMEWORK = {
    "DEFAULT_THROTTLE_CLASSES": ["rest_framework.throttling.AnonRateThrottle"],
    "DEFAULT_THROTTLE_RATES": {"anon": "100/day"},
}