Skip to content

FastAPI FullAuth

FastAPI FullAuth

Production-grade, async-native authentication and authorization for FastAPI.

PyPI Python CI License


Add a complete authentication and authorization system to your FastAPI project. FastAPI FullAuth is async-native and pluggable: JWT tokens, refresh rotation, password hashing, email verification, OAuth2 social login, passkeys, and role-based access, all opt-in.

Why FastAPI FullAuth

  • Async-native

    Built for async/await end to end on SQLAlchemy or SQLModel, with no sync bridges.

  • Secure by default

    Argon2id hashing, refresh-token rotation with reuse detection, and account lockout out of the box.

  • Pluggable, not prescriptive

    Bring your own user schema, adapter, and backends. Include only the routers you need.

  • Fully typed

    Generic over your user schema, ships py.typed, and checked under mypy --strict.

Install

pip install fastapi-fullauth[sqlmodel]

Getting Started covers the SQLAlchemy, OAuth, passkey, Redis, and bcrypt extras.

Quick example

from fastapi import FastAPI
from sqlmodel import Relationship

from fastapi_fullauth import FullAuth, FullAuthConfig
from fastapi_fullauth.adapters import SQLModelAdapter
from fastapi_fullauth.models.sqlmodel import RefreshTokenMixin, UserMixin


class RefreshToken(RefreshTokenMixin, table=True):
    pass


class User(UserMixin, table=True):
    refresh_tokens: list[RefreshToken] = Relationship()


app = FastAPI()
fullauth = FullAuth(
    adapter=SQLModelAdapter(
        session_maker=session_maker,
        user_model=User,
        refresh_token_model=RefreshToken,
    ),
    config=FullAuthConfig(SECRET_KEY="your-secret-key"),
)
fullauth.init_app(app)

This registers the auth routes under /api/v1/auth/ automatically. Omit SECRET_KEY in development and a random one is generated (tokens won't survive restarts).

What you get

  • Authentication

    Register, login, logout, JWT refresh rotation, email verification, and password reset.

  • Social and passwordless

    OAuth2 with Google and GitHub, plus passkeys (WebAuthn) for biometric login.

  • Authorization

    Role-based access with current_user, require_role(), and require_permission().

  • Protection

    Rate limiting, account lockout, CSRF, and security headers.

The combined router mounts under /api/v1/auth by default. Admin, OAuth, and passkey routes register only when your adapter supports them; the full route list is in Getting Started.

Learn more

  • Getting Started

    Step-by-step setup, from install to protected routes.

  • Architecture

    How tokens, adapters, and protection subsystems fit together.

  • Configuration

    Every option, with production .env examples.

  • Customization

    Every extension point: custom adapters, schemas, claims, hooks, and transport.

  • Troubleshooting

    Common errors mapped to fixes.

AI-friendly docs

Point your AI coding assistant at the LLM-optimized docs:

  • llms.txt: concise overview with links to all doc pages
  • llms-full.txt: full documentation in a single file

License

MIT