Why this exists

Every FastAPI service needs authentication, and the patterns are always the same: validate JWTs, hash passwords, check permissions, handle token revocation. Rather than copying this logic across 3ngram, Climbr, and future services, we extracted the common patterns into a tested, documented library.

What it provides

JWT module — token creation and validation with type discrimination (access vs. refresh), JTI tracking, and configurable issuer/audience claims.

Password module — Argon2id hashing following OWASP recommendations. Drop-in replacement for bcrypt with better resistance to GPU and side-channel attacks.

RBAC module — generic permission checker with FastAPI dependency factories. You define the permission matrix; the library handles enforcement.

Revocation module — Redis-backed token denylist with configurable fail-open (allow if Redis is down) or fail-closed (deny if Redis is down) modes, depending on your security requirements.

Rate limiting — pre-configured slowapi limiter for auth endpoints to prevent brute-force attacks.

Schemas — Pydantic v2 models for token payloads and auth responses.

Design principles

Stateless and composable. Each module works independently. Use all of them or just the JWT validation.

Domain-agnostic. No opinion on your user model, database, or tenancy scheme. You bring your own user lookup — the library handles the auth mechanics.

Production-tested. Every primitive runs in production across multiple services before being extracted here.

Getting started

pip install git+https://github.com/sebastianebg/b3dmar-auth-core.git

See the repository README and cookbook/ directory for integration examples covering common patterns: basic JWT auth, multi-tenant RBAC, refresh token rotation, and revocation setup.