authsec-sdk-vnext 4.2.2

Preview AuthSec SDK for bearer-first MCP auth, services, CIBA, and SPIFFE integration

AuthSec Python SDK vNext

Preview Python SDK for AuthSec bearer-first MCP authentication, RBAC, service access, CIBA, delegation, and SPIFFE integrations.

Install

From PyPI:

pip install authsec-sdk-vnext

For local SDK development:

cd packages/python-sdk
pip install -e ".[dev]"

Recommended Setup Flow

The default user flow is:

pip install authsec-sdk-vnext
authsec init

authsec init writes .authsec.json in the current working directory. If you choose the default setup path, it writes these prod endpoints:

• https://prod.api.authsec.ai/sdkmgr/mcp-auth
• https://prod.api.authsec.ai/sdkmgr/services
• https://prod.api.authsec.ai

Use authsec config show to verify the saved configuration.

If you need localhost, staging, or self-hosted AuthSec, choose the custom path in authsec init or set explicit environment overrides.

Team Knowledge Base Flow

The intended acceptance flow matches the protected Team Knowledge Base example:

1. pip install authsec-sdk-vnext
2. authsec init
3. Run your protected MCP server
4. Confirm startup logs show the prod AuthSec endpoints by default

When the app name is Team Knowledge Base (Protected), the expected startup output is:

Auth configured: Team Knowledge Base (Protected) with client_id: 921c2209...
Auth service URL: https://prod.api.authsec.ai/sdkmgr/mcp-auth
Services URL: https://prod.api.authsec.ai/sdkmgr/services
Starting Team Knowledge Base (Protected) MCP Server on 0.0.0.0:3005
Authentication via: https://prod.api.authsec.ai/sdkmgr/mcp-auth
Services via: https://prod.api.authsec.ai/sdkmgr/services
SPIRE Workload Identity: DISABLED

Example Server

This package includes a Python MCP demo at examples/local_authsec_demo_server.py.

Run it like this:

cd packages/python-sdk-vnext
authsec init
set -a
source examples/local_authsec_demo.env.example
set +a
python examples/local_authsec_demo_server.py

By default, the example relies on .authsec.json created by authsec init. Only set AUTHSEC_AUTH_SERVICE_URL or AUTHSEC_SERVICES_URL if you intentionally want to override the prod defaults.

Testing

Install the dev extras and run tests:

cd packages/python-sdk-vnext
pip install -e ".[dev]"
pytest tests/test_config_flow.py

The existing integration tests that point at localhost remain explicit local-service tests; they are not the default user path.

Maintainer Release Flow

Build and verify locally:

cd packages/python-sdk-vnext
python -m build
python -m twine check dist/*

Smoke test the built artifact in a fresh virtualenv:

python -m venv /tmp/authsec-sdk-smoke
source /tmp/authsec-sdk-smoke/bin/activate
pip install /absolute/path/to/packages/python-sdk-vnext/dist/authsec_sdk_vnext-<version>-py3-none-any.whl
authsec init

Publish with token-based Twine auth supplied via environment variables or .pypirc, then verify in a fresh virtualenv with:

pip install authsec-sdk-vnext
authsec init