FastAPI FullAuth
Production-grade, async-native authentication and authorization for FastAPI.
Documentation: https://mdfarhankc.github.io/fastapi-fullauth
Source Code: https://github.com/mdfarhankc/fastapi-fullauth
Add a complete authentication and authorization system to your FastAPI project. FastAPI FullAuth is designed to be production-ready, async-native, and pluggable = handling JWT tokens, refresh rotation, password hashing, email verification, OAuth2 social login, and role-based access out of the box.
Features¶
- JWT access + refresh tokens with configurable expiry
- Refresh token rotation with reuse detection (revokes entire session family on replay)
- Password hashing via Argon2id (default) or bcrypt
- Email verification and password reset flows with event hooks
- Passkey (WebAuthn) = passwordless login with fingerprint, Face ID, security keys
- OAuth2 social login = Google and GitHub, with multi-redirect-URI support
- Role-based access control =
current_user,require_role(),require_permission() - Rate limiting = per-route auth limits + global middleware (memory or Redis)
- CSRF protection and security headers middleware
- Pluggable adapters = SQLModel or SQLAlchemy
- Generic type parameters = define your own schemas with full IDE support and type safety
- Composable routers = include only the route groups you need
- Event hooks =
after_register,after_login,send_verification_email, etc. - Custom JWT claims = embed app-specific data in tokens
- Redis support = token blacklist and rate limiter backends
- Python 3.10 - 3.14 supported
Installation¶
pip install fastapi-fullauth
# with an ORM adapter
pip install fastapi-fullauth[sqlmodel]
pip install fastapi-fullauth[sqlalchemy]
# with redis for token blacklisting
pip install fastapi-fullauth[sqlmodel,redis]
# with OAuth2 social login
pip install fastapi-fullauth[sqlmodel,oauth]
# everything
pip install fastapi-fullauth[all]
Example¶
from fastapi import FastAPI
from fastapi_fullauth import FullAuth, FullAuthConfig
from fastapi_fullauth.adapters.sqlmodel import SQLModelAdapter
app = FastAPI()
fullauth = FullAuth(
adapter=SQLModelAdapter(session_maker=session_maker, user_model=User),
config=FullAuthConfig(
SECRET_KEY="your-secret-key",
),
)
fullauth.init_app(app)
This registers all auth routes under /api/v1/auth/ automatically.
Omit SECRET_KEY in dev and a random one is generated (tokens won't survive restarts).
Composable routers¶
Opt in to a subset of routers:
Or wire routers manually for full control:
app = FastAPI()
fullauth.bind(app) # required for dependencies to work
app.include_router(fullauth.auth_router, prefix="/api/v1/auth")
app.include_router(fullauth.profile_router, prefix="/api/v1/auth")
| Router | Routes |
|---|---|
auth_router |
register, login, logout, refresh |
profile_router |
me, verified-me, update profile, delete account, change password |
verify_router |
email verification, password reset |
admin_router |
assign/remove roles and permissions (superuser) |
oauth_router |
OAuth provider routes (only if configured) |
passkey_router |
Passkey register, authenticate, list, delete (only if enabled) |
fullauth.init_app(app) with no include_routers registers all of them. Pass an explicit list (or use the individual router properties) for granular control. Middleware is never auto-wired = see Middleware.
Routes¶
| Method | Path | Description |
|---|---|---|
POST |
/auth/register |
Create a new user |
POST |
/auth/login |
Authenticate, get tokens |
POST |
/auth/logout |
Blacklist token |
POST |
/auth/refresh |
Rotate token pair |
GET |
/auth/me |
Get current user |
GET |
/auth/me/verified |
Verified users only |
PATCH |
/auth/me |
Update profile |
DELETE |
/auth/me |
Delete account |
POST |
/auth/change-password |
Change password |
POST |
/auth/verify-email/request |
Request verification email |
POST |
/auth/verify-email/confirm |
Confirm email |
POST |
/auth/password-reset/request |
Request password reset |
POST |
/auth/password-reset/confirm |
Reset password |
POST |
/auth/admin/assign-role |
Assign role (superuser) |
POST |
/auth/admin/remove-role |
Remove role (superuser) |
POST |
/auth/admin/assign-permission |
Assign permission to role (superuser) |
POST |
/auth/admin/remove-permission |
Remove permission from role (superuser) |
GET |
/auth/admin/role-permissions/{role} |
List role's permissions (superuser) |
With OAuth enabled, additional routes are registered under /auth/oauth/. With passkeys enabled, routes under /auth/passkeys/. See OAuth2 Social Login and Passkeys.
All routes are prefixed with /api/v1 by default (configurable via API_PREFIX).
Learn more¶
- Architecture = understand how the library works internally
- Getting Started = step-by-step setup tutorial
- Testing = test apps built with fastapi-fullauth
- Troubleshooting = common errors and solutions
AI-friendly docs¶
Using an AI coding assistant? Point it at our LLM-optimized docs:
- llms.txt = concise overview with links to all doc pages
- llms-full.txt = full documentation in a single file
Works with Claude, Cursor, Copilot, and any tool that accepts a docs URL.
License¶
MIT