FastAPI FullAuth
Production-grade, async-native authentication and authorization for FastAPI.
Add a complete authentication and authorization system to your FastAPI project. FastAPI FullAuth is async-native and pluggable: JWT tokens, refresh rotation, password hashing, email verification, OAuth2 social login, passkeys, and role-based access, all opt-in.
Why FastAPI FullAuth¶
-
Async-native
Built for
async/awaitend to end on SQLAlchemy or SQLModel, with no sync bridges. -
Secure by default
Argon2id hashing, refresh-token rotation with reuse detection, and account lockout out of the box.
-
Pluggable, not prescriptive
Bring your own user schema, adapter, and backends. Include only the routers you need.
-
Fully typed
Generic over your user schema, ships
py.typed, and checked undermypy --strict.
Install¶
Getting Started covers the SQLAlchemy, OAuth, passkey, Redis, and bcrypt extras.
Quick example¶
from fastapi import FastAPI
from sqlmodel import Relationship
from fastapi_fullauth import FullAuth, FullAuthConfig
from fastapi_fullauth.adapters import SQLModelAdapter
from fastapi_fullauth.models.sqlmodel import RefreshTokenMixin, UserMixin
class RefreshToken(RefreshTokenMixin, table=True):
pass
class User(UserMixin, table=True):
refresh_tokens: list[RefreshToken] = Relationship()
app = FastAPI()
fullauth = FullAuth(
adapter=SQLModelAdapter(
session_maker=session_maker,
user_model=User,
refresh_token_model=RefreshToken,
),
config=FullAuthConfig(SECRET_KEY="your-secret-key"),
)
fullauth.init_app(app)
This registers the auth routes under /api/v1/auth/ automatically. Omit SECRET_KEY in development and a random one is generated (tokens won't survive restarts).
What you get¶
-
Authentication
Register, login, logout, JWT refresh rotation, email verification, and password reset.
-
Social and passwordless
OAuth2 with Google and GitHub, plus passkeys (WebAuthn) for biometric login.
-
Authorization
Role-based access with
current_user,require_role(), andrequire_permission(). -
Protection
Rate limiting, account lockout, CSRF, and security headers.
The combined router mounts under /api/v1/auth by default. Admin, OAuth, and passkey routes register only when your adapter supports them; the full route list is in Getting Started.
Learn more¶
-
Step-by-step setup, from install to protected routes.
-
How tokens, adapters, and protection subsystems fit together.
-
Every option, with production
.envexamples. -
Every extension point: custom adapters, schemas, claims, hooks, and transport.
-
Common errors mapped to fixes.
AI-friendly docs¶
Point your AI coding assistant at the LLM-optimized docs:
- llms.txt: concise overview with links to all doc pages
- llms-full.txt: full documentation in a single file
License¶
MIT