Skip to main content

Alter Vault Python SDK - OAuth token management with policy enforcement

Project description

Alter SDK for Python

Official Python SDK for Alter Vault — credential and authorization layer for apps and AI agents that call third-party APIs.

Tokens stay in the vault. The SDK injects the credential, refreshes it, and writes the audit row — application code only calls vault.request() (or vault.proxy_request() when the backend should make the outgoing call instead of the SDK).

Install

pip install alter-sdk

Requires Python 3.10+.

Quick example

Make an authenticated API call — no token ever touches application code.

import asyncio
from alter_sdk import App, HttpMethod

async def main():
    async with App(api_key="<api-key>") as vault:
        response = await vault.request(
            HttpMethod.POST,
            "https://api.example.com/resource",
            grant_id="<grant-id>",
            json={"example": "payload"},
        )
        print(response.status_code, response.json())

asyncio.run(main())

For a full walkthrough — sign-up, key minting, OAuth — see the Quickstart.

Two runtime modes

The SDK exposes two ways to reach a third-party API:

  • vault.request(...)retrieve mode. The SDK fetches the token from the backend and makes the outgoing call itself. Returns the third-party response.
  • vault.proxy_request(...)proxy mode. The backend holds the token, makes the outgoing call, and returns the result. Application code and the SDK never observe the token. Required for any grant configured with human-in-the-loop approval; available for any other grant when wire-level audit, strong token isolation, or backend-side policy enforcement matter.

See runtime modes for the tradeoffs and when to pick each.

Recovering from missing-grant errors

When a request fails because the user hasn't authorized the provider yet, the SDK exposes recovery context on the typed error so you can drive a re-consent flow without re-deriving anything from the call site:

from alter_sdk import NoDelegatedGrantError

try:
    await vault.request(provider="<provider-id>", user_token=jwt, url=..., method=...)
except NoDelegatedGrantError as e:
    session = await vault.create_connect_session_for_error(
        e,
        allowed_origin="https://app.example.com",
    )
    # Surface session.connect_url to the user — popup, redirect,
    # out-of-band message, whatever your framework does.
    results = await vault.poll_connect_session(session.session_token)
    # Retry with the freshly-minted grant_id.
    response = await vault.request(grant_id=results[0].grant_id, url=..., method=...)

create_connect_session_for_error and poll_connect_session are available on both App and Agent so the catch block can recover from whichever client raised.

NoDelegatedGrantError and GrantNotFoundError carry provider_id / agent_id / app_user_id recovery context when the original lookup was identity-mode; CredentialRevokedError carries provider_id / app_user_id. See the error reference for the full surface.

Documentation

Full docs are at https://docs.alterauth.com.

Topic Page
Getting started end-to-end Quickstart
The mental model How Alter works
Calling APIs on behalf of users (OAuth + JWT) Guide
Identity provider setup Auth0 / Clerk / Okta / Custom OIDC
Provisioning backend secrets Guide
Scoped credentials for AI agents Guide
Human-in-the-loop approvals Guide
Runtime modes (retrieve vs proxy) Concept
Integrating with Claude Code (MCP) Guide
Per-method API reference Python SDK reference
Errors Error reference

License

MIT. See LICENSE.

Support

Email founders@alterauth.com or open an issue at https://github.com/alter-ai/alter-vault.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

alter_sdk-0.18.0.tar.gz (167.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

alter_sdk-0.18.0-py3-none-any.whl (180.4 kB view details)

Uploaded Python 3

File details

Details for the file alter_sdk-0.18.0.tar.gz.

File metadata

  • Download URL: alter_sdk-0.18.0.tar.gz
  • Upload date:
  • Size: 167.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for alter_sdk-0.18.0.tar.gz
Algorithm Hash digest
SHA256 2a67fcd7396f98d53c2b402db0a4ef5793bded3eb0f71670d766f704cfcfb0ee
MD5 a447bfecee811155a62ceafcade20338
BLAKE2b-256 ff41acc67fdcc2f8ed90a4ff21e6b57fc03e0d36e0b6e9e9c5eea4dd63caa353

See more details on using hashes here.

Provenance

The following attestation bundles were made for alter_sdk-0.18.0.tar.gz:

Publisher: python-sdk-release.yml on AlterAIDev/Alter-Vault

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file alter_sdk-0.18.0-py3-none-any.whl.

File metadata

  • Download URL: alter_sdk-0.18.0-py3-none-any.whl
  • Upload date:
  • Size: 180.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for alter_sdk-0.18.0-py3-none-any.whl
Algorithm Hash digest
SHA256 8454f67228eff2148b9e416b2ba785c1023a84c7a98d7d3361ec7dc6df9e13aa
MD5 0994d721b0b79ae2cfc5d0f894fb1739
BLAKE2b-256 093fce185d33d867ee84b2e11a9478d39ec1d72f0356de69803c4ec4e9b9a21d

See more details on using hashes here.

Provenance

The following attestation bundles were made for alter_sdk-0.18.0-py3-none-any.whl:

Publisher: python-sdk-release.yml on AlterAIDev/Alter-Vault

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page