Skip to main content

Alter Vault Python SDK - OAuth token management with policy enforcement

Project description

Alter SDK for Python

Official Python SDK for Alter Vault — credential and authorization layer for apps and AI agents that call third-party APIs.

Tokens stay in the vault. The SDK injects the credential, refreshes it, and writes the audit row — application code only calls vault.request() (or vault.proxy_request() when the backend should make the outgoing call instead of the SDK).

Install

pip install alter-sdk

Requires Python 3.10+.

Quick example

Make an authenticated API call — no token ever touches application code.

import asyncio
from alter_sdk import App, HttpMethod

async def main():
    async with App(api_key="<api-key>") as vault:
        response = await vault.request(
            HttpMethod.POST,
            "https://api.example.com/resource",
            grant_id="<grant-id>",
            json={"example": "payload"},
        )
        print(response.status_code, response.json())

asyncio.run(main())

For a full walkthrough — sign-up, key minting, OAuth — see the Quickstart.

Two runtime modes

The SDK exposes two ways to reach a third-party API:

  • vault.request(...)retrieve mode. The SDK fetches the token from the backend and makes the outgoing call itself. Returns the third-party response.
  • vault.proxy_request(...)proxy mode. The backend holds the token, makes the outgoing call, and returns the result. Application code and the SDK never observe the token. Required for any grant configured with human-in-the-loop approval; available for any other grant when wire-level audit, strong token isolation, or backend-side policy enforcement matter.

See runtime modes for the tradeoffs and when to pick each.

Recovering from missing-grant errors

When a request fails because the user hasn't authorized the provider yet, the SDK exposes recovery context on the typed error so you can drive a re-consent flow without re-deriving anything from the call site:

from alter_sdk import NoDelegatedGrantError

try:
    await vault.request(provider="<provider-id>", user_token=jwt, url=..., method=...)
except NoDelegatedGrantError as e:
    session = await vault.create_connect_session_for_error(
        e,
        allowed_origin="https://app.example.com",
    )
    # Surface session.connect_url to the user — popup, redirect,
    # out-of-band message, whatever your framework does.
    results = await vault.poll_connect_session(session.session_token)
    # Retry with the freshly-minted grant_id.
    response = await vault.request(grant_id=results[0].grant_id, url=..., method=...)

NoDelegatedGrantError and GrantNotFoundError carry provider_id / agent_id / app_user_id recovery context when the original lookup was identity-mode; CredentialRevokedError carries provider_id / app_user_id. See the error reference for the full surface.

Documentation

Full docs are at https://docs.alterauth.com.

Topic Page
Getting started end-to-end Quickstart
The mental model How Alter works
Calling APIs on behalf of users (OAuth + JWT) Guide
Identity provider setup Auth0 / Clerk / Okta / Custom OIDC
Provisioning backend secrets Guide
Scoped credentials for AI agents Guide
Human-in-the-loop approvals Guide
Runtime modes (retrieve vs proxy) Concept
Integrating with Claude Code (MCP) Guide
Per-method API reference Python SDK reference
Errors Error reference

License

MIT. See LICENSE.

Support

Email founders@alterauth.com or open an issue at https://github.com/alter-ai/alter-vault.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

alter_sdk-0.15.0.tar.gz (157.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

alter_sdk-0.15.0-py3-none-any.whl (169.8 kB view details)

Uploaded Python 3

File details

Details for the file alter_sdk-0.15.0.tar.gz.

File metadata

  • Download URL: alter_sdk-0.15.0.tar.gz
  • Upload date:
  • Size: 157.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for alter_sdk-0.15.0.tar.gz
Algorithm Hash digest
SHA256 42f791f6cb9a7b2bff7840afda56abf83ad408700fb7914089ef3ff0524986fa
MD5 5c2589b7512a987709ab2948668e8167
BLAKE2b-256 5f818eeba35717bd57689afb2860b38ac443040768a957e788cce2b8be9e1d83

See more details on using hashes here.

Provenance

The following attestation bundles were made for alter_sdk-0.15.0.tar.gz:

Publisher: python-sdk-release.yml on AlterAIDev/Alter-Vault

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file alter_sdk-0.15.0-py3-none-any.whl.

File metadata

  • Download URL: alter_sdk-0.15.0-py3-none-any.whl
  • Upload date:
  • Size: 169.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for alter_sdk-0.15.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b60657953b4d2bd9af9168d721d1f18c761d3e510fcc9787a19ff92db3bcea8c
MD5 d98f4d73bcc95f1340c6a5e4edabf988
BLAKE2b-256 5f3b855ab83211553a4a7529ab79889a9662b2ebb87e1c9b1feb0071bfd4176c

See more details on using hashes here.

Provenance

The following attestation bundles were made for alter_sdk-0.15.0-py3-none-any.whl:

Publisher: python-sdk-release.yml on AlterAIDev/Alter-Vault

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page