That makes any number of assumptions about the API layer, what "key based auth" is used and what data the database has.
For example I'd probably trust MySQL or PostgreSQL key validation more than what some random dev has coded in a private repo (more eyes on the code and probably better developers looking at it).
Auth is something that a lot of devs still do not implement properly and even popular libs for it like passport for node and others (including default configs for most JWT libs) have had very bad security issues.
If your minimum permissions map well onto the databases permission model then it's better to not have a layer in between. Proper db permissions and a using TLS/SSH as a transport is probably better.
For example I'd probably trust MySQL or PostgreSQL key validation more than what some random dev has coded in a private repo (more eyes on the code and probably better developers looking at it).
Auth is something that a lot of devs still do not implement properly and even popular libs for it like passport for node and others (including default configs for most JWT libs) have had very bad security issues.
If your minimum permissions map well onto the databases permission model then it's better to not have a layer in between. Proper db permissions and a using TLS/SSH as a transport is probably better.