How to secure newly added APIs

I’ve created an API in superset in the config file. It shows up in swagger UI and I can call it successfully. My next step is to make sure that it can only be accessed if you have the correct permissions.So first I tried adding the @protect() decorator. This makes it so I get 401 when accessing the API.

{"message":"Access is Denied","severity":"danger"}

So far so good. Now I log in with an admin user using the /api/v1//security/login API and I get a token. Then I set the Authorization header on my REST call to my new API and I still get 401. So I thought maybe I need to add the permission to my role. So I add this decorator @permission_name(“AAAAAA”) And I go to find that permission in the roles edit section, but it cannot be found. I have tried several different ways to see if I can gain access to the API:

1. Tried to change the permission name to some existing permission
2. Instead of @protect() I tried @has_access_api
3. I have tried setting the class_permission_name and a few other things and I have spent many hours on this so far searching the net and reading the code and documentation.Does anyone know what the correct way is to protect the API endpoint in the same way as the Dashboards and Charts APIs are protected? For reference here is the basic code I am using without permissions:

class AuthorizationAPI(BaseApi):
    csrf_exempt= True
    @expose('/role/<role>', methods=["POST"])
    @safe
    def role(self, role):
       #My code here
    
    from superset.app import SupersetAppInitializer
    class MySupsersetAppInitializer(SupersetAppInitializer):
    def init_views(self) -> None:
        appbuilder.add_api(AuthorizationAPI)
        super().init_views()

APP_INITIALIZER = MySupsersetAppInitializer