diff --git a/portal/__init__.py b/portal/__init__.py
index 642054e1eae3ce4ca477b4d960c33113987b6bb5..04d8900403036640e95a43c4875e8020c5ab4c70 100644
--- a/portal/__init__.py
+++ b/portal/__init__.py
@@ -1,7 +1,7 @@
 # Taken and adapted from the flaskr tutorial. Database logic adapted from Flask SQLAlchemy Documentation
 # (https://flask-sqlalchemy.palletsprojects.com/en/2.x/contexts/). See LICENSE-3RD-PARTY.md for details.
 import secrets
-from typing import Optional
+from typing import Any, Optional
 from pathlib import Path
 
 from flask import Flask
@@ -9,7 +9,7 @@ from flask_sqlalchemy import SQLAlchemy
 
 from .db_config import get_database_uri, get_uri_for_sqlite
 
-db = SQLAlchemy()
+db: Any = SQLAlchemy()
 
 from .model import *
 
diff --git a/portal/api/agenda.py b/portal/api/agenda.py
index ea5ac56b8bce64dfde9ad7f6bd804b0f00edce40..d7717f61c8dd24d72fbc449fb5c7488663a22241 100644
--- a/portal/api/agenda.py
+++ b/portal/api/agenda.py
@@ -7,7 +7,7 @@ from ..model import Key
 
 @bp.get("/agendas/-/items")
 @require_valid(Key)
-def the_agenda_items():
+def the_agenda_items() -> list[dict[str, str]]:
     tasks = sorted(
         TaigaUserStoryProvider.get_the_one().fetch_user_stories(),
         key=lambda task: task["kanban_order"],
diff --git a/portal/api/auth.py b/portal/api/auth.py
index acf7b0d33774cb7f889bd63b778c1b5bd6d20e19..eae75b8cf41140f8394ad95bef17663f5b87bf6b 100644
--- a/portal/api/auth.py
+++ b/portal/api/auth.py
@@ -1,19 +1,25 @@
 # Login code adapted from the flaskr tutorial (see LICENSE-3RD-PARTY.md for details)
 # See https://flask.palletsprojects.com/en/2.0.x/tutorial/views/
 import functools
+from typing import Any, Callable
 
-from flask import request, g
+from flask import g, request
 
 from portal import db
 
+from ..model import Key, User
+from ..problem_details import ProblemResponse, not_found, unauthorized
 from .blueprint import bp
-from ..model import User, Key
-from ..problem_details import not_found, unauthorized
 
 
 @bp.before_app_request
-def set_user_if_valid():
-    if not request.authorization or request.authorization.type != "basic":
+def set_user_if_valid() -> None:
+    if (
+        not request.authorization
+        or request.authorization.username is None
+        or request.authorization.password is None
+        or request.authorization.type != "basic"
+    ):
         g.user = None
         return
 
@@ -23,15 +29,19 @@ def set_user_if_valid():
 
 
 @bp.before_app_request
-def set_key_if_valid():
-    if not request.authorization or request.authorization.type != "bearer":
+def set_key_if_valid() -> None:
+    if (
+        not request.authorization
+        or request.authorization.token is None
+        or request.authorization.type != "bearer"
+    ):
         g.key = None
         return
 
     g.key = Key.get_by_secret_unless_expired(request.authorization.token)
 
 
-def require_valid(credential_type):
+def require_valid(credential_type: type[User | Key]) -> Callable:
     """
     Requires that valid credentials are provided before allowing access to a route.
     If no valid credentials are provided, abort and send a 401.
@@ -41,9 +51,9 @@ def require_valid(credential_type):
     - `@require_valid(Key)` to require a valid key
     """
 
-    def decorator(route):
+    def decorator(route: Callable) -> Callable:
         @functools.wraps(route)
-        def protected_route(**kwargs):
+        def protected_route(**kwargs: Any) -> ProblemResponse:
             # Determine which credentials to use
             credentials = {User: g.user, Key: g.key}.get(credential_type)
 
@@ -60,14 +70,14 @@ def require_valid(credential_type):
 
 @bp.post("/keys")
 @require_valid(User)
-def post_key():
+def post_key() -> tuple[dict, int]:
     key, secret = Key.generate(g.user)
     return key.to_dict() | {"secret": secret}, 201
 
 
 @bp.delete("/keys/<string:uuid>")
 @require_valid(Key)
-def delete_key(uuid: str):
+def delete_key(uuid: str) -> tuple[str, int] | ProblemResponse:
     key_to_delete = Key.get_only(uuid)
 
     if not key_to_delete:
diff --git a/portal/api/rest.py b/portal/api/rest.py
index dc763fb6d27034c796fbd5f78dc38a2f271723b7..6474513c5db61d0445b710579fbc2d0f02314b47 100644
--- a/portal/api/rest.py
+++ b/portal/api/rest.py
@@ -1,11 +1,11 @@
 from flask import render_template
 
+from ..problem_details import ProblemResponse, not_found
 from .blueprint import bp
-from ..problem_details import not_found
 
 
 @bp.get("/<path:_>")
-def fallback_not_found(_):
+def fallback_not_found(_: object) -> ProblemResponse:
     """
     If you can't find a matching API endpoint, fallback to returning a 404.
 
@@ -16,5 +16,5 @@ def fallback_not_found(_):
 
 
 @bp.get("/")
-def index():
+def index() -> str:
     return render_template("redocly.html")
diff --git a/portal/api/version.py b/portal/api/version.py
index 8674f682293185ae7d97f8aba24d9d7b3575cfed..b12b5274c26b0f98101ac958cc331e2013965f70 100644
--- a/portal/api/version.py
+++ b/portal/api/version.py
@@ -1,12 +1,13 @@
 import json
 from datetime import datetime
 from pathlib import Path
+from typing import Any
 
 from .blueprint import bp
 
 
 @bp.get("/version")
-def get_version():
+def get_version() -> dict[str, Any]:
     portal_version_path = Path("./PORTAL_VERSION")
     if portal_version_path.is_file():
         with open("PORTAL_VERSION") as f:
diff --git a/portal/main.py b/portal/main.py
index 327b6d81adfa8c5bc5ca422e57ed30fb928dc8bf..bbf1a38cd6f7909f6784ff40425a38445fe33a4f 100644
--- a/portal/main.py
+++ b/portal/main.py
@@ -1,11 +1,12 @@
-from flask import Blueprint, render_template, redirect, url_for
+from flask import Blueprint, redirect, render_template, url_for
+from werkzeug import Response
 
 bp = Blueprint("main", __name__)
 
 
 @bp.get("/", defaults={"_": ""})
 @bp.get("/<path:_>")
-def index(_):
+def index(_: object) -> str:
     """
     Serve the index page at /*, i.e. at any path below / and at / itself.
 
@@ -16,5 +17,5 @@ def index(_):
 
 
 @bp.get("/api/")
-def redirect_to_api():
+def redirect_to_api() -> Response:
     return redirect(url_for("api.index"))
diff --git a/portal/model/Retrievable.py b/portal/model/Retrievable.py
index d754852cd8660460136385e0e80180ec4abf2526..1b7c6495c41b7e1aace3d3628fa627b34ae3b56a 100644
--- a/portal/model/Retrievable.py
+++ b/portal/model/Retrievable.py
@@ -1,7 +1,8 @@
 from abc import abstractmethod
-from typing import List, Optional, Any, Self
+from typing import Any, List, Optional, Self
 
 from flask import g
+
 from portal import db
 
 
diff --git a/portal/problem_details.py b/portal/problem_details.py
index a397f0dec1b824ae526b8653cbcbd728244d7f97..517ffd6414ccf256a1b3eebef0263a7e012c92d8 100644
--- a/portal/problem_details.py
+++ b/portal/problem_details.py
@@ -4,15 +4,17 @@ Provide RFC 7807-compliant problem details responses for the API.
 
 from typing import Optional
 
+ProblemResponse = tuple[dict, int, dict]
 
-def unauthorized():
+
+def unauthorized() -> ProblemResponse:
     """
     Return a 401 message and status code
     """
     return _problem_response(title="Unauthorized", status=401)
 
 
-def not_found():
+def not_found() -> ProblemResponse:
     """
     Return a 404 message and status code
     """
@@ -24,7 +26,7 @@ def _problem_response(
     status: int,
     type_uri: Optional[str] = None,
     extensions: Optional[dict] = None,
-) -> tuple[dict, int, dict]:
+) -> ProblemResponse:
     type_dict = {"type": type_uri} if type_uri is not None else {}
     title_dict = {"title": title}