Reference Python SDK for the allus company-data API: typed, plaintext, slug-keyed conclusions with transparent decryption.
Project description
allus-company-data (Python)
The Python SDK for the allus company-data API. Point it at a JSON config file and it hands back typed, plaintext, your-slug-keyed conclusions: for each connected person, a map of your request-field slug → plaintext value (plus whether the value is live and when it last changed).
The SDK hides everything else — the OAuth token, the field catalog, the id plumbing, the hybrid decryption, binary fetching, the changes-queue mechanics, JSON-vs-XML. The platform is zero-knowledge: the API only ever holds ciphertext, so all decryption happens inside the SDK with your service private key. The person's own field choices are never exposed — you only ever see the request slots you configured.
This SDK is one of six language ports that share an identical API surface. This manual is the Python view of it.
Contents: TL;DR — fetch new updates · Quickstart · Every call · The typed value model · The changes pump · Webhooks · Company documents · Rate limits · Errors · How it's wired
Deeper reference pages live in docs/:
config · model · pump ·
webhooks · errors.
TL;DR — fetch new updates
pip install allus-company-data
Point a config.json at your service keys:
{
"api_url": "https://api.allme.fyi",
"client_id": "svc_xxx",
"client_secret": "xxx",
"service_private_key": "/path/to/service.pem",
"key_passphrase": "xxx",
"cache_dir": "./allus-cache"
}
Drain everything new, handled one update at a time:
from allus_company_data import Client
client = Client.from_config("config.json")
def handle(change):
# one update at a time: event, person, slug, value, live, at
print(change.event, change.person_id, change.slug, change.value,
"live" if change.live else "snapshot", change.at)
client.process_changes(handle) # returns when the feed is empty
process_changes pulls every pending change, decrypts it, and hands them to your
callback ONE BY ONE, acking each only after your code returns. Crash mid-batch?
The next run replays exactly what wasn't acked — nothing is lost, and the API
keeps no backlog of its own. Run it on a schedule (cron / systemd timer); there
is no daemon/follow mode by design. Connections, binary values, and webhooks are
documented below.
Quickstart
Requires Python ≥ 3.11.
pip install allus-company-data
# or, working from this repo: pip install -e '.[dev]' # from sdks/python/
python -c "import allus_company_data; print(allus_company_data.__version__)"
1. Write a config file
A single JSON file holds everything. Any field can be overridden by an ALLUS_*
env var, so secrets needn't live in the file. No SDK method ever takes a key,
passphrase, or secret as an argument — they all come from here.
allus.json:
{
"api_url": "https://api.allme.fyi",
"client_id": "svc_1a2b3c…",
"client_secret": "…",
"service_private_key": "./service-CRM.pem",
"key_passphrase": "…",
"account_private_key": "./account.pem",
"account_passphrase": "…",
"webhooks": {
"wh_abc123": "hmac_secret_for_that_webhook"
},
"cache_dir": "./allus-cache",
"format": "json"
}
| Field | Required | Meaning |
|---|---|---|
api_url |
yes | API base, e.g. https://api.allme.fyi. |
client_id / client_secret |
yes | The registered client_credentials credentials for one service. |
service_private_key |
yes | Path to the OpenSSL-encrypted PKCS#8 PEM you downloaded from the portal. |
key_passphrase |
yes | Decrypts that PEM in memory at startup. |
account_private_key / account_passphrase |
only for encrypt_payload webhooks |
The company account key, used to unwrap an encrypted webhook envelope. |
webhooks / webhook_secret |
webhook auth — HMAC (default) | Per-webhook HMAC secrets keyed by webhook id (matched via the X-Allus-Webhook-Id header). A single-webhook service can use a flat "webhook_secret": "…" instead of the map. |
webhook_bearer_token |
webhook auth — bearer | Verify Authorization: Bearer <token> deliveries. |
webhook_basic |
webhook auth — basic | {"username","password"} — verify HTTP Basic deliveries. |
webhook_header |
webhook auth — header | {"name","value"} — verify a custom-header delivery. |
webhook_auth_none |
webhook auth — none | true — explicit opt-out; verifyWebhook always passes (use only behind your own gateway). Configure at most one webhook auth method (two+ → ConfigError). |
cache_dir |
no (default ./allus-cache) |
Durable local buffer for the changes pump. Must be writable + durable. |
format |
no (default json) |
Wire format json or xml. Invisible in the output. |
Env overrides use the ALLUS_ prefix of the field name, e.g.
ALLUS_CLIENT_SECRET, ALLUS_KEY_PASSPHRASE, ALLUS_ACCOUNT_PASSPHRASE,
ALLUS_WEBHOOK_SECRET. A missing/invalid config (or an unreadable PEM / wrong
passphrase) raises ConfigError at construction — fail fast.
2. First call — list a connection's values
from allus_company_data import Client
client = Client.from_config("allus.json")
# Iterate every connected person (lazy, auto-paged).
for conn in client.connections():
print(conn.display_name, conn.person_id)
for slug, val in conn.values.items():
print(f" {slug} = {val.value!r} (live={val.live}, updated={val.updated_at})")
break # just the first one for the demo
Or fetch one connection by id:
conn = client.connection("019xxxxxxxxxxxxxxxxxxxxxxxxx")
email = conn.values["work_email"].value # "alice@acme.com" (a str)
client = Client.from_env() builds the same client entirely from ALLUS_*
env vars (no file).
Every call
Client is the only object you construct. Build it from config, then:
Client.from_config(path, **kwargs) -> Client # from a JSON file (env overrides secrets)
Client.from_env(**kwargs) -> Client # entirely from ALLUS_* env vars
kwargs are advanced/optional: http (an injected HttpClient), logger (a
logging.Logger), sleep (a Callable[[float], None], for tests).
request_fields()
request_fields() -> list[RequestField]
Your request-field definitions — fetched once from
GET /api/company-data/request-fields and cached for the life of the client (it
types every value). Returns your request config, never the person's fields.
- Params: none.
- Returns:
list[RequestField]— eachRequestField(slug, label, type, one_time, mandatory, raw).mandatoryis true when the field is mandatory-to-provide or mandatory-to-stay-connected. - Raises:
AuthError,ApiError,RateLimitError.
for f in client.request_fields():
flag = "mandatory" if f.mandatory else "optional"
print(f"{f.slug:20} {f.type:10} {flag}{' (one-time)' if f.one_time else ''}")
connections(limit, offset)
connections(limit: int = 100, offset: int = 0) -> Iterator[Connection]
A lazy generator that auto-pages GET /api/company-data/connections?limit&offset
and yields one typed Connection at a time (bounded memory for a large book).
Each conn.values[slug] is already decrypted (or a lazy binary handle).
- Params:
limit— page size (default 100);offset— starting offset. - Returns:
Iterator[Connection]. - Raises:
AuthError,ApiError,DecryptError(per value, at access),RateLimitError(after the iterator's bounded internal backoff — see Rate limits).
Heavily rate-limited. Use for the initial full sync + occasional reconciliation only — never as a poll substitute for the changes feed. The generator paces itself within the limit (backs off on
Retry-After).
# Initial full sync, streaming so a 100k-connection book never lands in memory.
for conn in client.connections(limit=200):
upsert_local_record(conn)
connection(id)
connection(id: str) -> Connection
Fetch one connection by its connection id (GET /api/company-data/connections/{id}).
- Params:
id— the connection id (Connection.id). - Returns: one
Connection. Note: this endpoint returns{connection_id, user_id, values}and nodisplay_name/connected_at, so those identity fields areNonehere (the list endpoint carries them). - Raises:
AuthError,ApiError(404 if unknown),DecryptError,RateLimitError.
conn = client.connection(conn_id)
phone = conn.values.get("mobile")
if phone:
print(phone.value, "live" if phone.live else "snapshot")
logs(limit, offset)
logs(limit: int = 50, offset: int = 0) -> list[LogEntry]
The service's activity log (GET /api/company-data/logs?limit&offset) — ops
events only (email / purge / webhook), never person field data.
- Params:
limit(default 50),offset(default 0). - Returns:
list[LogEntry]— eachLogEntry(type, message, metadata, at, raw). - Raises:
AuthError,ApiError,RateLimitError.
for entry in client.logs(limit=20):
print(entry.at, entry.type, entry.message)
process_changes(handler, **options)
process_changes(handler: Callable[[Change], None], **options) -> None
The crash-safe changes pump: drains the feed through handler one Change at
a time, durably buffering each batch before delivery, with per-item ack and
retry → dead-letter → continue. Runs until the feed is empty, then returns —
there is no follow/daemon mode (you schedule re-runs yourself). Delivery is
at-least-once, so your handler must be idempotent (dedup on Change.id).
See The changes pump for the full model.
- Params:
handler— your callback; called with oneChange. A return is an ack; an exception triggers retry. - Options (keyword-only):
batch_size(clamped to ≤ 500, default 100),max_retries(default 3),on_error("deadletter"— default — or"halt"),backoff(Callable[[int], float], attempt → seconds). - Returns:
None(when the feed is empty + the buffer is drained). - Raises:
AuthError,ApiError,RateLimitError(during a drain);ValueError(badon_error); whatever the handler raises ifon_error="halt"and retries are exhausted.
def handle(change):
if already_processed(change.id): # idempotency — dedup on the stable id
return
if change.event == "field_updated":
store(change.person_id, change.slug, change.value)
elif change.event in ("connection_deleted", "field_deleted"):
remove(change.person_id, change.slug)
mark_processed(change.id)
client.process_changes(handle) # returns when the feed is empty
loggeris not aprocess_changesoption in this SDK — pass it once to theClientconstructor (Client.from_config("allus.json", logger=my_logger)).
Advanced changes primitives
drain_batch(max: int = 100) -> list[Change] # raw, UNBUFFERED — you own durability
dead_letters() -> list[dict] # the local dead-letter store
retry_dead_letters(handler, **options) -> int # re-drive dead-lettered events; returns count re-driven
drain_batch(max)— fetches one batch (clamped ≤ 500) and returns the decryptedChanges directly. It does not persist anything, so a crash loses what the API already deleted. Preferprocess_changesfor safe consumption.dead_letters()— each dict is the stored (ciphertext) event plus a flattenederrorandattempts.retry_dead_letters(handler, **options)— samemax_retries/on_error/backoffoptions asprocess_changes; on success a record is removed, on repeated failure it stays dead-lettered (or re-raises under"halt"). Dead letters are never re-fetched from the API — the local store is their only home.
for dl in client.dead_letters():
print("stuck:", dl["id"], dl["error"], "after", dl["attempts"], "attempts")
n = client.retry_dead_letters(handle) # after you've fixed the bug
print(f"re-drove {n} dead letters")
Webhook helpers (on the client)
The webhook receiver helpers are also exposed as Client methods (they delegate
to the module functions, fully config-driven — no key/secret arguments):
client.verify_webhook(raw_body: bytes, headers: dict) -> bool
client.parse_webhook(raw_body: bytes, headers: dict) -> Change
client.handle_webhook(raw_body: bytes, headers: dict) -> Change # verify + parse
verify_webhook— recomputesHMAC-SHA256(raw_body, secret)and constant-time-compares it toX-Allus-Signature. ReturnsTrue/False; never raises for a bad signature.parse_webhook— body → a typedChange. Does not verify. Handles JSON, XML, and theencrypt_payloadaccount-key envelope. RaisesWebhookErroron a malformed/unparseable body.handle_webhook— verify then parse; raisesWebhookErroron a bad/unknown signature, otherwise returns theChange. The typical one-liner inside a route.
The same three are importable as standalone functions
(from allus_company_data import verify_webhook, parse_webhook, handle_webhook),
which take the config and the decrypt/type closures explicitly — but inside an
app you'll almost always use the client methods. See Webhooks.
The typed value model
You work with these objects and nothing else (from allus_company_data import …):
RequestField { slug, label, type, one_time, mandatory } # YOUR request config
Connection { id, person_id, display_name, connected_at, values: {<slug>: Value} }
Value { value, live, updated_at }
Change { id, event, person_id, slug?, value?, live?, document_id?, status?, at }
Document { id, kind, name, description, status, payload_kind, is_private, value, metadata, created_at, updated_at }
LogEntry { type, message, metadata, at }
Keyed by your slug
conn.values["work_email"].value → "alice@acme.com". The key is the stable,
explicit slug you set per request field in the portal — rename the label freely,
the slug is the contract. The person's source field is never exposed: no
source slug, no field_id, not even via .raw.
Value(value, live, updated_at)
| Attribute | Meaning |
|---|---|
value |
The typed plaintext (see the table below). |
live |
True if the person chose "keep connected" (auto-updates); False for a one-time snapshot. |
updated_at |
datetime of when this answer last changed (per-answer, rides on the Value). |
Value types (from the field's type)
| Field type | Python value |
|---|---|
email, phone, url, text |
str |
address, bank, creditcard |
dict — the decrypted plaintext is a JSON object, parsed for you |
date, date_of_birth |
datetime.date (falls back to the raw string if it can't be parsed) |
photo, document, legal_document |
a lazy BinaryHandle — see below |
addr = conn.values["home_address"].value # dict, e.g. {"street": "...", "city": "...", ...}
dob = conn.values["birthday"].value # datetime.date(1990, 5, 17)
Binary fields — the lazy BinaryHandle
A photo/document value is a BinaryHandle. Nothing is fetched or decrypted until
you call .bytes() or .save():
handle = conn.values["passport_scan"].value # BinaryHandle (no network yet)
data = handle.bytes() # GET the slot file → decrypt → file bytes
n = handle.save("/tmp/passport.jpg") # same, written to disk; returns bytes written
print(handle.value_url) # the opaque slot-keyed URL it fetches from
.bytes() GETs the slot-keyed file endpoint, unwraps the API's
{"encrypted": true, "value": <wrapper>} envelope, decrypts with your service
key, parses the inner JSON envelope ({"full": "data:…"} for photos,
{"file": "data:…"} for documents) and base64-decodes the data URI into the
file bytes. The result is cached on the handle, so repeated calls don't re-fetch.
Change(id, event, person_id, slug?, value?, live?, at)
A change-feed / webhook event.
| Attribute | Meaning |
|---|---|
id |
The stable server change-row id — your dedup key (captured before the server delete). |
event |
connection_created, connection_deleted, field_updated, field_deleted, consent_accepted, consent_declined, document_status_changed. |
person_id |
The person the change is about (may be None). |
slug, value, live |
Present only on field_updated; value is typed exactly like Value.value (incl. a lazy BinaryHandle for binaries). Connection/consent/document events carry no slot/value. |
document_id, status |
Present only on document_status_changed — which document moved lifecycle state and to what (no slug/value). See Company documents. |
at |
datetime of the change. (There is no separate updated_at on a change.) |
.raw
Every model carries .raw — the underlying hardened API dict — for debugging
or an edge case the SDK didn't model. It still never contains the person's source
field.
See docs/model.md for the full reference.
The changes pump
The changes feed is a server-side drain-on-fetch queue:
GET /api/company-data/changes?limit=N returns up to N events (default 100, max
500) and deletes exactly those rows in the same transaction — no
offset/cursor, and the API keeps no copy afterward. So consumption can't be a
plain list: a consumer crash mid-batch would lose events the API already deleted,
and a huge backlog must not materialize in memory. process_changes solves both.
Per run, repeating until the feed is empty then returning:
- Replay first. Deliver any un-acked events already in the local buffer (from a previous crashed run), oldest-first.
- Drain. When the buffer is empty, fetch one batch and persist it to the durable file buffer (fsync) BEFORE handing anything out. This is the backup the API no longer has.
- Deliver one-by-one. For each buffered event, oldest-first: decrypt its value at delivery (never on disk), build the typed
Change, callhandler. - Ack / retry / dead-letter. On success, remove the event from the buffer (ack). On a handler error, retry with backoff up to
max_retries; then either move it to the dead-letter store and continue (on_error="deadletter", default — one poison event never wedges the stream) or stop and re-raise (on_error="halt"). ADecryptErroron a buffered event (corrupt/truncated ciphertext, rotated key) is dead-lettered immediately — re-decrypting can't fix it, so it does not burn retries (underon_error="halt"it re-raises). Either way it never propagates out and wedges replay. - Repeat until a drain returns empty and the buffer is drained → return.
The durable buffer
- Plain files under
cache_dir(zero extra dependencies):pending/for un-acked events,deadletter/for ones that exhausted retries. - Stored events keep their ciphertext value — no plaintext PII is ever written to disk. Decryption happens only at delivery.
- Writes are crash-safe (temp file → fsync → atomic rename → dir fsync). Files are named with a monotonic, zero-padded sequence so they replay oldest-first.
Crash safety, at-least-once, and idempotency
A batch is durably buffered before any delivery, and acked per-item only after the handler succeeds. The ack can't be atomic with your side-effects — a crash between your handler's success and its ack re-delivers that event on the next run. That makes delivery at-least-once, so:
Your handler must be idempotent. Dedup on
Change.id.
Change.id is the stable server change-row id, captured before the server delete,
so it survives crash + replay unchanged.
No follow mode
process_changes returns when the feed empties. You schedule re-runs — a
cron job, a while True: client.process_changes(handle); time.sleep(5) loop, a
worker queue, whatever fits. The feed is cheap to poll (see
Rate limits).
Worked example
import time
from allus_company_data import Client
client = Client.from_config("allus.json")
def handle(change):
# Idempotent: skip anything we've already applied.
if seen(change.id):
return
match change.event:
case "field_updated":
store_value(change.person_id, change.slug, change.value, live=change.live)
case "field_deleted":
clear_value(change.person_id, change.slug)
case "connection_deleted":
drop_person(change.person_id)
case "connection_created" | "consent_accepted" | "consent_declined":
note_event(change.person_id, change.event, change.at)
record_seen(change.id)
# Schedule your own re-runs; process_changes itself returns when empty.
while True:
client.process_changes(handle, batch_size=200, max_retries=5)
time.sleep(5)
If a handler keeps failing, the event lands in the dead-letter store instead of
blocking the stream; inspect with client.dead_letters() and re-drive with
client.retry_dead_letters(handle) after fixing the cause. See
docs/pump.md.
Webhooks
Webhooks are the lower-latency push alternative to polling the changes feed. The platform POSTs each change event to your configured webhook URL with:
X-Allus-Webhook-Id— which webhook this is (selects the HMAC secret from config).X-Allus-Signature—HMAC-SHA256(rawBody, secret)as lowercase hex.- the body — the same slug-keyed
Changeshape as the pull feed (JSON or XML).
All secrets/keys come from config; the helpers take no key or secret arguments. Use the raw request body bytes (do not re-serialize a parsed body — the HMAC is over the exact bytes the platform sent).
In a web route (Flask)
from flask import Flask, request, abort
from allus_company_data import Client, WebhookError
app = Flask(__name__)
client = Client.from_config("allus.json")
@app.post("/allus/webhook")
def allus_webhook():
try:
change = client.handle_webhook(request.get_data(), dict(request.headers))
except WebhookError:
abort(401) # bad / unknown signature, or unparseable envelope
# Same idempotency rule as the pump: dedup on change.id.
if not seen(change.id):
apply_change(change)
record_seen(change.id)
return ("", 204)
verify_webhook / parse_webhook let you split the steps if you prefer:
if not client.verify_webhook(raw_body, headers):
abort(401)
change = client.parse_webhook(raw_body, headers)
Config-driven secrets
Per-webhook HMAC secrets live in the config webhooks map, keyed by webhook id;
the SDK reads X-Allus-Webhook-Id off the request and looks up the matching
secret. A single-webhook service can use the flat "webhook_secret": "…"
shortcut (or ALLUS_WEBHOOK_SECRET). An unknown/unconfigured id ⇒ verification
returns False (and handle_webhook raises WebhookError).
The encrypt_payload account-key envelope
If a webhook has encrypt_payload enabled, the body is replaced by a
{"_enc":1,…} envelope encrypted to your company account key (and the HMAC is
over that envelope — the final bytes sent). parse_webhook/handle_webhook
unwrap it transparently using the configured account_private_key +
account_passphrase, then decrypt the inner field value with the service key — so
an encrypted-payload Change is identical to a plain one. If you receive such a
webhook without an account_private_key configured, you get a WebhookError.
The account-key envelope uses OAEP-SHA1 (OpenSSL's default), distinct from the OAEP-SHA256 used for person field values — the SDK handles this difference internally; you only supply the account key in config.
See docs/webhooks.md.
Company documents
Documents are content your service issues to people (a quote, a contract, a JSON payload, a PDF) — the mirror image of the request slots. They come in two shapes:
- Broadcast — no target. Sent to every connection on the service. Plaintext — you can't single-key-encrypt one value to all your connections, so a broadcast value is stored as-is.
- Per-person — targeted at one connection (
connection_id=/person_user_id=/share_code=). Automatically end-to-end encrypted to that recipient's public key before it leaves the process. The server only ever stores ciphertext.
The encryption rule, plainly: every per-person document is automatically end-to-end encrypted to the recipient's public key — for any
is_privatevalue. Broadcast documents are plaintext.is_privateis a device-display-only flag (it picks lock-screen vs decrypt-on-load on the recipient's device), not what decides encryption — sois_private=Truewith no per-person target raisesConfigError. As everywhere in this SDK, no method ever takes a key or secret argument — the recipient key is fetched for you, and your own service key comes from config.
Creating documents
payload_kind picks the body:
payload_kind="json"— passjson_value=(a JSON-serializable object).payload_kind="file"— passfile_bytes=(+ file_mime=); the bytes are uploaded. For a per-person file the bytes are encrypted automatically too.
from allus_company_data import Client
client = Client.from_config("allus.json")
# 1. BROADCAST plaintext json doc — every connection sees it, no target.
notice = client.create_document(
kind="document",
name="2026 price list",
payload_kind="json",
json_value={"plan": "pro", "monthly": 49, "currency": "EUR"},
)
# 2. PER-PERSON doc — auto-encrypted to that recipient's public key.
# Target it by ANY one of connection_id / person_user_id / share_code.
contract = client.create_document(
kind="document",
name="Service agreement",
payload_kind="json",
is_private=True, # display-only; needs a per-person target
connection_id="019xxxxxxxxxxxxxxxxxxxxxxxxx",
json_value={"tier": "enterprise", "term_months": 12},
)
# A per-person FILE — the bytes are encrypted for the recipient automatically.
with open("agreement.pdf", "rb") as fh:
pdf = client.create_document(
kind="legal_document",
name="Signed agreement",
payload_kind="file",
person_user_id="019yyyyyyyyyyyyyyyyyyyyyyyyy",
file_bytes=fh.read(),
file_mime="application/pdf",
)
# is_private without a target → ConfigError (a broadcast can't be locked).
Listing, reading, updating, deleting
list_documents(*, person_user_id=None, status=None, limit=100, offset=0) -> list[Document]
document(document_id) -> Document
update_document_status(document_id, status) -> Document
update_document_metadata(document_id, *, metadata=None, name=None,
description=None) -> Document
delete_document(document_id) -> None
# All this service's documents (optionally filter by person and/or status).
for doc in client.list_documents(status="offering"):
print(doc.id, doc.name, doc.status, doc.payload_kind, "private" if doc.is_private else "shared")
doc = client.document(contract.id)
# For a json doc, .json() returns the plaintext object — a per-person doc is
# decrypted with your service key on demand; a broadcast doc is already plaintext.
print(doc.json())
# Move it through its lifecycle / edit its metadata.
client.update_document_status(contract.id, "active")
client.update_document_metadata(contract.id, name="Service agreement (v2)",
metadata={"renewal": "auto"})
client.delete_document(notice.id)
A Document carries id, kind, name, description, status, payload_kind, is_private, value, metadata, created_at, updated_at (and .raw). Use .json()
on a payload_kind="json" document to get the decrypted plaintext object.
Reacting to a status change in the feed
When someone advances one of your documents (e.g. signs it), the platform emits a
document_status_changed change. In a process_changes handler it carries
.document_id and .status (and no slug/value — it's a lifecycle event,
not a field value):
def handle(change):
if change.event == "document_status_changed":
# the document moved lifecycle state (offering → ready_to_sign → active → …)
on_document_status(change.document_id, change.status)
elif change.event == "field_updated":
store(change.person_id, change.slug, change.value)
client.process_changes(handle)
Rate limits
| Endpoint | Limit | Use it for |
|---|---|---|
changes (the pump) |
generous | Poll as often as you like — it's a cheap drain-on-fetch queue. |
request-fields, logs |
moderate | Occasional reads. |
connections, connection(id), binary /file |
heavily limited | Initial full sync + occasional reconciliation only — never as a poll substitute. |
A 429 carries Retry-After. The SDK backs off and retries automatically:
- The transport (
HttpClient) retries a 429 a bounded number of times honoringRetry-After, then surfacesRateLimitError. - The
connections(...)generator additionally backs off perRetry-Afteron a surfacedRateLimitErrorand retries the page a bounded number of times before re-raising — so it paces itself within the limit instead of hammering.
If you catch a RateLimitError, its .retry_after is the seconds to wait
(or None when the header was absent).
Errors
All from allus_company_data. Same taxonomy + names across all six SDKs.
| Error | When |
|---|---|
ConfigError |
Missing/invalid config, unreadable key file, or wrong passphrase — at construction (fail fast). |
AuthError |
Token fetch/refresh failed (bad client_id/secret, revoked client); or a 401 survives the one automatic refresh-and-retry. |
ApiError(status, error_key, message) |
Any non-2xx from the API; carries the HTTP status, the platform error_key (when present), and message. |
DecryptError |
A ciphertext wrapper is malformed, the key is wrong, or the GCM tag mismatches. Surfaces when a value is accessed/decrypted. |
WebhookError |
Signature verification failed, or an envelope couldn't be unwrapped/parsed. |
RateLimitError(retry_after) |
A 429 from a rate-limited endpoint. Subclass of ApiError (status fixed at 429); carries retry_after (seconds, or None). |
from allus_company_data import (
Client, ConfigError, AuthError, ApiError,
DecryptError, WebhookError, RateLimitError,
)
try:
client = Client.from_config("allus.json")
for conn in client.connections():
...
except ConfigError as e:
... # fix the config / key file
except RateLimitError as e:
wait(e.retry_after or 60)
except ApiError as e:
log(e.status, e.error_key, e.message)
See docs/errors.md.
How it's wired
Everything below is what the SDK hides so your code only ever sees conclusions.
Auth / token. An HttpClient owns a client_credentials-only token. On the
first call (or when the cached token nears expiry) it POSTs
client_id/client_secret to {api_url}/oauth2/token and caches the bearer
token + its expiry; refresh is automatic. A mid-flight 401 triggers exactly one
refresh-and-retry, then AuthError. The token is scoped server-side to one
service, so every call is implicitly that service's data.
Slug resolution. request_fields() is fetched once and cached; its slug→type
map types every value (so address parses to a dict, photo becomes a lazy
binary handle, etc.). The connection/changes endpoints return values keyed by
your request slug — the person's source field is dropped server-side and
never reaches the SDK.
Decryption (zero-knowledge). The service private key is loaded once at
construction from the configured encrypted PEM + passphrase into an in-memory RSA
key. A decrypt closure over it is handed to every model factory and the pump —
the key never appears in a method signature. Each value is a hybrid wrapper
({"_enc":1,"k":rsa_oaep_sha256(aesKey),"iv":…,"d":aes256gcm(…)}); the SDK
RSA-OAEP-SHA256 unwraps the AES key, then AES-256-GCM decrypts the payload. The
platform only ever holds ciphertext — it never sees your plaintext.
Binary fetch. A binary value is a lazy BinaryHandle over a slot-keyed
value_url. On .bytes()/.save() it GETs that file endpoint, unwraps the
{"encrypted":true,"value":<wrapper>} envelope, runs the same service-key
decrypt to a JSON file-envelope, and base64-decodes its data URI to the file
bytes. (Slot-keyed, never source-field-keyed.)
The drain-on-fetch feed. process_changes delegates to a Pump wired to a
fetch_changes closure (GET /changes?limit=, returning raw ciphertext events)
and a decrypt closure (builds a typed Change). Because the fetch deletes the
rows it returns, the pump persists each batch to the durable file buffer
(ciphertext at rest) before delivery, acks per-item after your handler succeeds,
and replays the buffer on restart — see The changes pump.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file allus_company_data-0.0.6.tar.gz.
File metadata
- Download URL: allus_company_data-0.0.6.tar.gz
- Upload date:
- Size: 102.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e0e85d9bb3fea2204e1ea179ba195f10f1253dcfbd25c46f38b0b011620b1c73
|
|
| MD5 |
928086ac8491459439201f99b4982c10
|
|
| BLAKE2b-256 |
e3cb1b6765749f3e58986ec88a641b8eaa5f7024ffb434e0ac9fca60aab773c8
|
Provenance
The following attestation bundles were made for allus_company_data-0.0.6.tar.gz:
Publisher:
publish.yml on allus-fyi/company-data-python
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
allus_company_data-0.0.6.tar.gz -
Subject digest:
e0e85d9bb3fea2204e1ea179ba195f10f1253dcfbd25c46f38b0b011620b1c73 - Sigstore transparency entry: 1912139409
- Sigstore integration time:
-
Permalink:
allus-fyi/company-data-python@e60e80bc0115830a4b5f1b8c2e41ff7d39eaad54 -
Branch / Tag:
refs/tags/v0.0.6 - Owner: https://github.com/allus-fyi
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@e60e80bc0115830a4b5f1b8c2e41ff7d39eaad54 -
Trigger Event:
push
-
Statement type:
File details
Details for the file allus_company_data-0.0.6-py3-none-any.whl.
File metadata
- Download URL: allus_company_data-0.0.6-py3-none-any.whl
- Upload date:
- Size: 57.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0f14d9bc16c7be0092d870b6d13b617e05a837196727d20522f213462b178263
|
|
| MD5 |
87f3bf749a70a60a86057830fa03bfb4
|
|
| BLAKE2b-256 |
e1e5c7280d2809fe26c35cc8a640dc67a5daf7a793d5f7180782afe1ba6c3e79
|
Provenance
The following attestation bundles were made for allus_company_data-0.0.6-py3-none-any.whl:
Publisher:
publish.yml on allus-fyi/company-data-python
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
allus_company_data-0.0.6-py3-none-any.whl -
Subject digest:
0f14d9bc16c7be0092d870b6d13b617e05a837196727d20522f213462b178263 - Sigstore transparency entry: 1912139577
- Sigstore integration time:
-
Permalink:
allus-fyi/company-data-python@e60e80bc0115830a4b5f1b8c2e41ff7d39eaad54 -
Branch / Tag:
refs/tags/v0.0.6 - Owner: https://github.com/allus-fyi
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@e60e80bc0115830a4b5f1b8c2e41ff7d39eaad54 -
Trigger Event:
push
-
Statement type: