Try a new uvicore app where there is no user dB, no groups... maybe just a single auth user. So still private api, but no dB use at all. Maybe a hard coded array of user->keys but no permissions since no dB. I guess the auto api does need guards optional for this. Actually guards are OR, so wrap auto api in a group with guard scope=authenticated and it would work.
Also remember personal access tokens. A key made with a list of roles (not permissions). Use can basic auth with that key as the password.
Try a new uvicore app where there is no user dB, no groups... maybe just a single auth user. So still private api, but no dB use at all. Maybe a hard coded array of user->keys but no permissions since no dB. I guess the auto api does need guards optional for this. Actually guards are OR, so wrap auto api in a group with guard scope=authenticated and it would work.
Also remember personal access tokens. A key made with a list of roles (not permissions). Use can basic auth with that key as the password.