After a brief convo with @clevinson in today's engineering check-in, we would like to implement some lightweight auth for the /iri-gen endpoint.
We would like to require that developers who want to use that API, for example, sign-up with an email address.
I wanted to open this ticket as a place to discuss some ideas for this.

Cory and I discussed some light-weight solutions, and we agree it's good to keep this simple for now.
The main concern is just to prevent DoS or huge amount of data being input into our database via /iri-gen.
By having a sign-up and API keys, we can track who's doing what, and also can implement some rate-limiting.

The first simple solution is an email sign-up page. If a developer wants to POST data, they submit a request to the sign-up form. After confirming their email address we generate an API key, and record there email/key in the DB. Subsequent requests to /iri-gen would verify that a valid API key is present in the request, and if not, abort with status 401.

A second idea, is that we can have a keplr address sign-up. This is nice because then we don't need email confirmation. The user would go to sign-up page, and after clicking "sign-up", we invoke the signArbitrary API of the keplr wallet. After verifying the signature, we create the API key and save it the DB.

In either of these scenarios, we would need a front-end adjustment. Because the UI does make use of /iri-gen. We would need to adjust the API call there to use withCredentials. This would allow the UI to interact with that API in secure way, while at the same time, not requiring an API key to be present in the app.

So the adjustments to the /iri-gen endpoint would need to be at least two-fold. We would require one of these two checks to pass:

1. The API key is valid
2. It's a credentialed request (it's a request coming from an authenticated user session in the app)

An alternative solution, could be to automatically generate an API key for users that sign-in to our application. This API key could be rendered in the portfolio/profile page. This has the benefit of not requiring an extra signature, aside from signing in the app. But this might clutter the UI or confuse users.

WDYT @clevinson ? do you have any other ideas?

/cc @blushi

Spoke with @blushi about this today in our 1-1 and in general, I think we both favor the second option:

A second idea, is that we can have a keplr address sign-up. This is nice because then we don't need email confirmation. The user would go to sign-up page, and after clicking "sign-up", we invoke the signArbitrary API of the keplr wallet. After verifying the signature, we create the API key and save it the DB.

But we realized that it's also important to consider the UX here. If we go with the second option, we are gating access to the POST /iri-gen API with a keplr wallet requirement. Whereas, an email sign-up might provide a better UX for the target audience here.

@clevinson do you have any thoughts on the UX of this?

@S4mmyb do you have any opinions/thoughts on this and the UX?