Python SDK for Coze workload identity authentication
Project description
Coze Workload Identity SDK
A Python SDK for Coze workload identity authentication using OAuth2.0 token exchange.
Features
- 🔐 Secure OAuth2.0 token exchange flow
- 🚀 Thread-safe token caching with automatic expiration
- 📝 Comprehensive error handling
- 🧪 Fully tested with high coverage
- 📦 Easy to install and use
- 🏊♂️ Lane support (泳道) for different environments (BOE, PPE, custom)
Installation
pip install coze-workload-identity
Quick Start
- Set up environment variables:
export COZE_WORKLOAD_IDENTITY_CLIENT_ID="your_client_id"
export COZE_WORKLOAD_IDENTITY_CLIENT_SECRET="your_client_secret"
export COZE_WORKLOAD_IDENTITY_TOKEN_ENDPOINT="https://auth.example.com/token"
export COZE_WORKLOAD_ACCESS_TOKEN_ENDPOINT="https://auth.example.com/access-token"
- Use the SDK:
from coze_workload_identity import Client
# Create client
client = Client()
# Get access token
token = client.get_access_token()
print(f"Access token: {token}")
# Use as context manager
with Client() as client:
token = client.get_access_token()
# Use the token for API calls
Configuration
The SDK requires the following environment variables:
| Variable | Description | Required |
|---|---|---|
COZE_WORKLOAD_IDENTITY_CLIENT_ID |
Client ID for authentication | ✅ |
COZE_WORKLOAD_IDENTITY_CLIENT_SECRET |
Client secret for authentication | ✅ |
COZE_WORKLOAD_IDENTITY_TOKEN_ENDPOINT |
Token endpoint for ID token | ✅ |
COZE_WORKLOAD_ACCESS_TOKEN_ENDPOINT |
Access token endpoint for token exchange | ✅ |
COZE_OUTBOUND_AUTH_ENDPOINT |
Integration credential endpoint (required for get_integration_credential) | ❌ |
COZE_SERVER_ENV |
Lane environment (optional, default: NONE) | ❌ |
Lane Support (泳道支持)
The SDK supports lane environments through the COZE_SERVER_ENV environment variable:
- NONE (default): No lane headers are added
- boe_*: Adds
x-tt-env: boe_<lane>header - ppe_*: Adds
x-tt-env: ppe_<lane>andx-use-ppe: 1headers - custom: Adds
x-tt-env: <custom>header
Examples:
# BOE lane
export COZE_SERVER_ENV="boe_test_lane"
# PPE lane
export COZE_SERVER_ENV="ppe_production_lane"
# Custom lane
export COZE_SERVER_ENV="my_custom_lane"
API Reference
Client
The main class for interacting with the workload identity service.
Constructor
Client()
Creates a new client instance. Configuration is loaded from environment variables.
Methods
get_access_token()
Retrieves an access token using the OAuth2.0 token exchange flow.
Returns: str - The access token
Raises:
ConfigurationError- If required configuration is missingTokenRetrievalError- If ID token retrieval failsTokenExchangeError- If token exchange fails
Example:
try:
token = client.get_access_token()
# Use the token for API calls
except ConfigurationError as e:
print(f"Configuration error: {e}")
except TokenRetrievalError as e:
print(f"Token retrieval error: {e}")
except TokenExchangeError as e:
print(f"Token exchange error: {e}")
close()
Closes the client and cleans up resources.
Example:
client = Client()
try:
token = client.get_access_token()
finally:
client.close()
get_integration_credential(integration_name)
Retrieves integration credentials for the specified integration name.
Args:
integration_name(str): Name of the integration
Returns: str - The integration credential
Raises:
ConfigurationError- If COZE_OUTBOUND_AUTH_ENDPOINT is not configuredTokenRetrievalError- If access token retrieval failsException- If integration credential API returns non-200 status or invalid response
Example:
try:
credential = client.get_integration_credential("my_integration")
# Use the credential for integration API calls
except ConfigurationError as e:
print(f"Configuration error: {e}")
except Exception as e:
print(f"Integration error: {e}")
API Response Format: The integration credential endpoint should return:
{
"code": 0,
"msg": "success",
"data": {
"credential": "integration_credential_string"
}
}
Error Handling:
- 4xx errors: Client errors (e.g., invalid integration name)
- 5xx errors: Server errors
- Non-zero code: API business logic errors
Exceptions
WorkloadIdentityError
Base exception for all workload identity SDK errors.
ConfigurationError
Raised when required configuration is missing or invalid.
TokenRetrievalError
Raised when ID token retrieval fails.
TokenExchangeError
Raised when token exchange fails.
Token Caching
The SDK automatically caches tokens to avoid unnecessary HTTP requests:
- ID tokens are cached based on their
expires_invalue - Access tokens are cached based on their
expires_invalue - A 1-minute buffer is applied to prevent using tokens that are about to expire
- The cache is thread-safe and supports concurrent access
Thread Safety
The SDK is designed to be thread-safe:
- Token cache operations are protected by locks
- Multiple threads can safely call
get_access_token()concurrently - The HTTP session is shared across threads
Error Handling
The SDK provides detailed error information:
from coze_workload_identity import Client, ConfigurationError, TokenRetrievalError, TokenExchangeError
client = Client()
try:
token = client.get_access_token()
except ConfigurationError as e:
# Handle missing or invalid configuration
print(f"Configuration error: {e}")
except TokenRetrievalError as e:
# Handle ID token retrieval failures
print(f"Token retrieval error: {e}")
except TokenExchangeError as e:
# Handle token exchange failures
print(f"Token exchange error: {e}")
except Exception as e:
# Handle other unexpected errors
print(f"Unexpected error: {e}")
finally:
client.close()
Logging
The SDK uses Python's logging module. To enable debug logging:
import logging
logging.basicConfig(level=logging.DEBUG)
logger = logging.getLogger('workload_identity')
logger.setLevel(logging.DEBUG)
Development
Setting up for development
git clone <repository-url>
cd workload-identity-sdk
pip install -e .[dev]
Running tests
pytest tests/ -v --cov=workload_identity
Code formatting
black workload_identity/ tests/
Type checking
mypy workload_identity/
License
MIT License - see LICENSE file for details.
Contributing
Contributions are welcome! Please read our contributing guidelines and submit pull requests to our repository.
Support
For issues and questions:
- Create an issue in the GitHub repository
- Check existing issues for solutions
- Review the documentation and examples
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file coze_workload_identity-0.1.1.tar.gz.
File metadata
- Download URL: coze_workload_identity-0.1.1.tar.gz
- Upload date:
- Size: 10.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3d3512eb4e82b82a4ae7b138bc51b1813328cadc304fbebc640d414f66448f51
|
|
| MD5 |
063e8672b18d2e11fe4e458113cdb786
|
|
| BLAKE2b-256 |
31db2921eea4bf7488f2e9fa78ef21b9437562cad01378a4a78e5fe8fc915328
|
File details
Details for the file coze_workload_identity-0.1.1-py3-none-any.whl.
File metadata
- Download URL: coze_workload_identity-0.1.1-py3-none-any.whl
- Upload date:
- Size: 7.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f81f8dfa32b61041f5b911337f1633ddcecebc57ccabe23e0406753935bb18d3
|
|
| MD5 |
8ee14adbedd3106923880e78e62013e4
|
|
| BLAKE2b-256 |
360043dc22ba466269573ed252ac9e0bf4a9a057d3aa883e2c74fa794b16d169
|
