Skip to content

FastAPI FullAuth

FastAPI FullAuth

Production-grade, async-native authentication and authorization for FastAPI.

PyPI Python CI License

Documentation: https://mdfarhankc.github.io/fastapi-fullauth
Source Code: https://github.com/mdfarhankc/fastapi-fullauth

Add a complete authentication and authorization system to your FastAPI project. FastAPI FullAuth is designed to be production-ready, async-native, and pluggable — handling JWT tokens, refresh rotation, password hashing, email verification, OAuth2 social login, and role-based access out of the box.

Features

  • JWT access + refresh tokens with configurable expiry
  • Refresh token rotation with reuse detection (revokes entire session family on replay)
  • Password hashing via Argon2id (default) or bcrypt
  • Email verification and password reset flows with event hooks
  • OAuth2 social login — Google and GitHub, with multi-redirect-URI support
  • Role-based access controlCurrentUser, VerifiedUser, SuperUser, require_role()
  • Rate limiting — per-route auth limits + global middleware (memory or Redis)
  • CSRF protection and security headers middleware
  • Pluggable adapters — SQLModel or SQLAlchemy
  • Generic type parameters — define your own schemas with full IDE support and type safety
  • Composable routers — include only the route groups you need
  • Event hooksafter_register, after_login, send_verification_email, etc.
  • Custom JWT claims — embed app-specific data in tokens
  • Redis support — token blacklist and rate limiter backends
  • Python 3.10 -- 3.14 supported

Installation

pip install fastapi-fullauth

# with an ORM adapter
pip install fastapi-fullauth[sqlmodel]
pip install fastapi-fullauth[sqlalchemy]

# with redis for token blacklisting
pip install fastapi-fullauth[sqlmodel,redis]

# with OAuth2 social login
pip install fastapi-fullauth[sqlmodel,oauth]

# everything
pip install fastapi-fullauth[all]

Example

from fastapi import FastAPI
from fastapi_fullauth import FullAuth, FullAuthConfig
from fastapi_fullauth.adapters.sqlmodel import SQLModelAdapter

app = FastAPI()

fullauth = FullAuth(
    adapter=SQLModelAdapter(session_maker=session_maker, user_model=User),
    config=FullAuthConfig(
        SECRET_KEY="your-secret-key",
    ),
)
fullauth.init_app(app)

This registers all auth routes under /api/v1/auth/ automatically.

Omit SECRET_KEY in dev and a random one is generated (tokens won't survive restarts).

Composable routers

Exclude routers you don't need:

fullauth.init_app(app, exclude_routers=["admin"])

Or wire routers manually for full control:

app = FastAPI()
fullauth.bind(app)  # required for dependencies to work

app.include_router(fullauth.auth_router, prefix="/api/v1/auth")
app.include_router(fullauth.profile_router, prefix="/api/v1/auth")
fullauth.init_middleware(app)
Router Routes
auth_router register, login, logout, refresh
profile_router me, verified-me, update profile, delete account, change password
verify_router email verification, password reset
admin_router assign/remove roles and permissions (superuser)
oauth_router OAuth provider routes (only if configured)

fullauth.init_app(app) includes all of them. Use exclude_routers or individual routers for granular control.

Routes

Method Path Description
POST /auth/register Create a new user
POST /auth/login Authenticate, get tokens
POST /auth/logout Blacklist token
POST /auth/refresh Rotate token pair
GET /auth/me Get current user
GET /auth/me/verified Verified users only
PATCH /auth/me Update profile
DELETE /auth/me Delete account
POST /auth/change-password Change password
POST /auth/verify-email/request Request verification email
POST /auth/verify-email/confirm Confirm email
POST /auth/password-reset/request Request password reset
POST /auth/password-reset/confirm Reset password
POST /auth/admin/assign-role Assign role (superuser)
POST /auth/admin/remove-role Remove role (superuser)
POST /auth/admin/assign-permission Assign permission to role (superuser)
POST /auth/admin/remove-permission Remove permission from role (superuser)
GET /auth/admin/role-permissions/{role} List role's permissions (superuser)

With OAuth enabled, additional routes are registered under /auth/oauth/. See OAuth2 Social Login.

All routes are prefixed with /api/v1 by default (configurable via API_PREFIX).

AI-friendly docs

Using an AI coding assistant? Point it at our LLM-optimized docs:

  • llms.txt — concise overview with links to all doc pages
  • llms-full.txt — full documentation in a single file

Works with Claude, Cursor, Copilot, and any tool that accepts a docs URL.

License

MIT