Skip to main content

Alter Vault Python SDK - OAuth token management with policy enforcement

Project description

Alter SDK for Python

Official Python SDK for Alter Vault — credential and authorization layer for apps and AI agents that call third-party APIs.

Tokens stay in the vault. The SDK injects the credential, refreshes it, and writes the audit row — application code only calls vault.request() (or vault.proxy_request() when the backend should make the outgoing call instead of the SDK).

Install

pip install alter-sdk

Requires Python 3.11+.

Quick example

Make an authenticated API call — no token ever touches application code.

import asyncio
from alter_sdk import App, HttpMethod

async def main():
    async with App(api_key="<api-key>") as vault:
        response = await vault.request(
            HttpMethod.POST,
            "https://api.example.com/resource",
            grant_id="<grant-id>",
            json={"example": "payload"},
        )
        print(response.status_code, response.json())

asyncio.run(main())

For a full walkthrough — sign-up, key minting, OAuth — see the Quickstart.

Two runtime modes

The SDK exposes two ways to reach a third-party API:

  • vault.request(...)retrieve mode. The SDK fetches the token from the backend and makes the outgoing call itself. Returns the third-party response.
  • vault.proxy_request(...)proxy mode. The backend holds the token, makes the outgoing call, and returns the result. Application code and the SDK never observe the token. Required for any grant configured with human-in-the-loop approval; available for any other grant when wire-level audit, strong token isolation, or backend-side policy enforcement matter.

See runtime modes for the tradeoffs and when to pick each.

Recovering from missing-grant errors

When a request fails because the user hasn't authorized the provider yet, the SDK exposes recovery context on the typed error so you can drive a re-consent flow without re-deriving anything from the call site:

from alter_sdk import NoDelegatedGrantError

try:
    await vault.request(provider="<provider-id>", user_token=jwt, url=..., method=...)
except NoDelegatedGrantError as e:
    session = await vault.create_connect_session_for_error(
        e,
        allowed_origin="https://app.example.com",
    )
    # Surface session.connect_url to the user — popup, redirect,
    # out-of-band message, whatever your framework does.
    results = await vault.poll_connect_session(session.session_token)
    # Retry with the freshly-minted grant_id.
    response = await vault.request(grant_id=results[0].grant_id, url=..., method=...)

create_connect_session_for_error and poll_connect_session are available on both App and Agent so the catch block can recover from whichever client raised.

NoDelegatedGrantError and GrantNotFoundError carry provider_id / agent_id / app_user_id recovery context when the original lookup was identity-mode; CredentialRevokedError carries provider_id / app_user_id. See the error reference for the full surface.

OpenTelemetry trace propagation

When the application runs an OpenTelemetry SDK, Alter requests automatically carry the active span's W3C traceparent, so the audit trail — and any spans the organization streams to its own OTLP collector — join the application's traces. No configuration is required and opentelemetry is never installed by the SDK itself — it uses whatever OpenTelemetry the application installed; without it (or without an active span) the SDK behaves exactly as before. (The optional alter-sdk[otel] extra is available to record the supported opentelemetry-api version range in the application's dependency tree.)

from opentelemetry import trace

tracer = trace.get_tracer("the-application")

# Inside an async function; `vault` from the quick start above.
with tracer.start_as_current_span("handle-user-request"):
    # This call's audit events share the surrounding trace's ids.
    response = await vault.request(HttpMethod.GET, url, grant_id=grant_id)

Documentation

Full docs are at https://docs.alterauth.com.

Topic Page
Getting started end-to-end Quickstart
The mental model How Alter works
Calling APIs on behalf of users (OAuth + JWT) Guide
Identity provider setup Auth0 / Clerk / Okta / Custom OIDC
Provisioning backend secrets Guide
Scoped credentials for AI agents Guide
Human-in-the-loop approvals Guide
OpenTelemetry trace propagation Calling APIs
Runtime modes (retrieve vs proxy) Concept
Integrating with Claude Code (MCP) Guide
Per-method API reference Python SDK reference
Errors Error reference

License

MIT. See LICENSE.

Support

Email founders@alterauth.com or open an issue at https://github.com/alter-ai/alter-vault.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

alter_sdk-0.19.0.tar.gz (196.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

alter_sdk-0.19.0-py3-none-any.whl (211.6 kB view details)

Uploaded Python 3

File details

Details for the file alter_sdk-0.19.0.tar.gz.

File metadata

  • Download URL: alter_sdk-0.19.0.tar.gz
  • Upload date:
  • Size: 196.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for alter_sdk-0.19.0.tar.gz
Algorithm Hash digest
SHA256 cb96b43b1928a7cf90d35bc5af6466a3142edbc4021e4e10330244b7539cad92
MD5 1cdf058b252f70dda3cfc4d654828077
BLAKE2b-256 b7d563de2954cbe35d1ee39b9ec4cb1edb219867dcb54b905ecba6bb6b7e1228

See more details on using hashes here.

Provenance

The following attestation bundles were made for alter_sdk-0.19.0.tar.gz:

Publisher: python-sdk-release.yml on AlterAIDev/Alter-Vault

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file alter_sdk-0.19.0-py3-none-any.whl.

File metadata

  • Download URL: alter_sdk-0.19.0-py3-none-any.whl
  • Upload date:
  • Size: 211.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for alter_sdk-0.19.0-py3-none-any.whl
Algorithm Hash digest
SHA256 c43fdc6892608eb9901c18e9b483e6327d06fe3a0284f203035555d93daad0a6
MD5 82f1fb3d14eb8e28c4a9d3de0866de94
BLAKE2b-256 7b4624722e2580a67acd2b2116dbfd367b270d5472109f081c4755e2b90f3eee

See more details on using hashes here.

Provenance

The following attestation bundles were made for alter_sdk-0.19.0-py3-none-any.whl:

Publisher: python-sdk-release.yml on AlterAIDev/Alter-Vault

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page