Fastauth-api is an authentication middleware designed to integrate with FastAPI applications. It provides generation and management of access and refresh tokens, as well as utilities for encryption and secure key management. It is intended to simplify implementing token-based authentication policies and storing tokens in a generic backend exposed via a REST API.
- Summary of main features
- Installation
- Configuration file
- Key and token generation (utilities)
- Basic usage (FastAPI integration)
- Using the /auth/token router
- TODO / Roadmap
- Version status
- License
- Generation of Access Tokens and Refresh Tokens.
- Integration with an external API for token persistence.
- Support for a "master token" that enables privileged operations.
- Utilities to generate and store secure encryption keys.
- Configurable middleware to protect routes by levels (master / access).
Install from PyPI:
pip install fastauth-apiCreate in the project root a file named fastauth.config.json with the minimal structure:
{
"app_name": "fastauth",
"database-api-url": "http://127.0.0.1:8000/mydb/data",
"master_token": "<your-master-token>",
"cryptography_key": "<your-32-byte-cryptography-key>",
"headers": {
"custom-header": "value",
"...": "..."
},
"master_token_paths": [
"list of your root endpoints that need master token for use"
],
"access_token_paths": [
"list of your root endpoints that need access token for use"
]
}In this configuration:
app-name: identifier name of the application.database-api-url: endpoint of the API responsible for persisting tokens.master-token: (optional) token with privileges for administrative operations.cryptography-key: (optional) key used to encrypt/decrypt payloads.master-token-pathsandaccess-token-paths: route patterns that require validation by token type.
If you don't include master-token or cryptography-key in the file, you can define them via environment variables (see next section).
See example: fastauth.config.json
You can define sensitive keys in your .env:
CRYPTOGRAPHY_KEY=kAONxbkATfyk3kmnUhw7YyAMotmvuJ6tVsuT1w3A6N4=
MASTER_TOKEN=kAONxbkATfyk3kmnUhw7YyAMotmvuJ6tVsuT1w3A6N4=When both sources (config file and environment variables) are available, the value in the config file has priority.
The FastauthSettings can now be customized through parameters. It is possible to pass settings directly to the class: Fastauth(settings: FastauthSettings | dict). These options follow exactly the same configuration and format as defined in the fastauth.config file.
class FastauthSettings(BaseModel):
app_name: str = "fastauth-api"
database_api_path: str | None = None
master_token: str | None = None
cryptography_key: str | None = None
headers: dict | None = None
master_token_paths: list | None = []
access_token_paths: list | None = []class Fastauth:
def __init__(self, settings: FastauthSettings | dict | None = None):
if isinstance(settings, dict):
settings = FastauthSettings(**settings)
... from fastapi import FastAPI
from fastauth import Fastauth, FastauthSettings
app = FastAPI(root_path="/test-api")
settings = {
"app_name": "fastauth",
"database_api_path": "http://127.0.0.1:6789/mydb/data",
"master_token": "kAONxbkATfyk3kmnUhw7YyAMotmvuJ6tVsuT1w3A6N4=",
"cryptography_key": "kAONxbkATfyk3kmnUhw7YyAMotmvuJ6tVsuT1w3A6N4=",
"headers": {},
"master_token_paths": ["/master"],
"access_token_paths": ["/access"],
}
auth = Fastauth(settings=settings)
auth.set_auth(app)Fastauth includes utilities to generate secure keys and write variables to the environment:
- Generate a CRYPTOGRAPHY_KEY:
from fastauth.utils import generate_cryptography_key
generate_cryptography_key()- Generate and write a MASTER_TOKEN to the environment file:
from cryptography.fernet import Fernet
from fastauth.utils import writekey2env
key = Fernet.generate_key().decode()
writekey2env(key=key, name="MASTER_TOKEN")These utilities allow creating secure keys compatible with the internal encryption system.
Minimal integration example:
from fastapi import FastAPI
from fastauth import Fastauth
app = FastAPI(root_path="/test-api")
auth = Fastauth()
auth.set_auth(app)
@app.get("/health")
async def health_check():
return {"status": "healthy"}
@app.get("/access/health")
async def access_health_check():
return {"service": "access health that need access token", "status": "healthy"}
@app.get("/master/health")
async def master_health_check():
return {"service": "master health that need master token", "status": "healthy"}auth.set_auth(app) applies the middleware and the routers required for issuing and verifying tokens according to the configuration.
The package exposes a router with two public endpoints for generating and renewing JWT tokens. These endpoints are registered under the configured prefix (default /auth) and return a standardized response with status, message, HTTP code and a data block containing the tokens and the client_id.
GET /auth/token/new-
Description: Generates a new pair of tokens (access + refresh). If
client_idis provided, the tokens are associated with that identifier; otherwise, a randomclient_idis generated. -
Query params:
- client_id (optional): string
-
Response (200 OK, example):
{ "status": "success", "message": "Token generated", "code": 200, "data": { "client_id": "abc-123", "access_token": "<jwt_access_token>", "refresh_token": "<jwt_refresh_token>" } } -
Common errors:
- 500 INTERNAL SERVER ERROR: if the encryption key (
CRYPTOGRAPHY_KEY) is not configured.
- 500 INTERNAL SERVER ERROR: if the encryption key (
-
GET /auth/token/refresh- Description: Validates a
refresh_tokenand issues a new pair of tokens associated with theclient_idcontained in the refresh token. - Query params:
- refresh_token (required): string
- Behavior:
- Decodes the refresh token with the encryption key using HS256.
- If the token is valid and contains
client_id, new tokens are generated.
- Responses:
- Success: same structure as
/token/new. - 401 UNAUTHORIZED: invalid token or missing
client_id. - 500 INTERNAL SERVER ERROR: if the encryption key is missing.
- Success: same structure as
- Description: Validates a
CRYPTOGRAPHY_KEY: secret key used to sign and verify JWTs. Must be present in the configuration file (fastauth.config.json) or in environment variables (file value takes precedence). Without this key, the endpoints will return errors and be unusable.database-api-url: the implementation internally callssave_token(...)to persist tokens; ensure that the persistence API is available and correctly configured.
- JWT algorithm: HS256.
- Default durations:
- Access token: 30 days
- Refresh token: 365 days
- Payloads: include
client_id,type(accessorrefresh),iatandexp. - Persistence: when generating tokens, the
save_tokenfunction saves theclient_id,access_tokenandrefresh_tokenin the configured backend.
-
Curl: generate new token (without client_id):
curl -X GET "http://localhost:8000/auth/token/new" -
Curl: generate new token (with client_id):
curl -X GET "http://localhost:8000/auth/token/new?client_id=my-client-id" -
Curl: refresh using refresh token:
curl -G "http://localhost:8000/auth/token/refresh" --data-urlencode "refresh_token=<jwt_refresh_token>"
-
Python (requests) β generate:
import requests r = requests.get("http://localhost:8000/auth/token/new", params={"client_id":"my-client"}) print(r.json())
-
For custom logic you can extend TokenRouter and override the private methods exposed in the class (for example
__generate_access_tokenand__refresh_access_token) and then include the router with:token_router = TokenRouter() # or a custom subclass app.include_router(token_router.route)
"Crypto key not set"β missing CRYPTOGRAPHY_KEY (500)"Invalid refresh token"β token not decodable or corrupted (401)"Invalid refresh token: missing client_id"β valid refresh token but without client_id (401)
- Expand compatibility with different encrypted payload formats.
- Restructure and scale the websocket decorator implementation.
- Fully document each endpoint so that it appears in Swagger/OpenAPI.
- Rotate the key carefully: implement migration if the encryption key changes, since tokens signed with the previous key will become invalid.
- Use the access token as a Bearer in the Authorization header to protect routes that require validation: Authorization: Bearer <access_token>
- π Token-based authentication system (Access + Refresh) with endpoints ready: check the
/authrouter and the/token/newand/token/refreshendpoints in auth.py. - βοΈ Easy integration with
FastAPI: functionFastauth().set_auth(app)applies middleware, registers routes and replaces the OpenAPI with FastauthOpenAPI. - π‘ Configurable middleware: Master / Access level protection based on routes defined in the configuration. Supports validation of MASTER-TOKEN and ACCESS-TOKEN headers.
- π§Ύ Flexible configuration: values from
fastauth.config.json, environment variables (.env) or customFastauthSettings. - π Basic key management and utilities:
- Generate
CRYPTOGRAPHY_KEYwithgenerate_cryptography_key(). - Read/write variables in
.envusingwritekey2env(...).
- Generate
- π§ JWT tokens signed with HS256 and payloads containing
client_id,type,iat,exp. - πΎ Decoupled token persistence:
save_token/load_access_tokeninteract with an external API configurable via"database_api_path"in the configuration file. - π WebSocket support: authentication decorator for websockets (checks ACCESS-TOKEN or MASTER-TOKEN in headers).
- π§° Extensible:
TokenRoutercan be extended to customize token generation/renewal; middleware and OpenAPI are easily replaceable/adjustable.
Project under the MIT license. See the LICENSE file for details.