FastAPI Auth Middleware for Clerk (https://clerk.com)
Project description
FastAPI Clerk Auth Middleware
A lightweight, easy-to-use authentication middleware for FastAPI that integrates with Clerk authentication services.
This middleware allows you to secure your FastAPI routes by validating JWT tokens against your Clerk JWKS endpoint, making it simple to implement authentication in your API.
Features
- 🔒 Secure API routes with Clerk JWT validation
- 🚀 Simple integration with FastAPI's dependency injection system
- ⚙️ Flexible configuration options (auto error responses, request state access)
- 📝 Decoded token payload accessible in your route handlers
Installation
pip install fastapi-clerk-auth
Basic Usage
from fastapi import FastAPI, Depends
from fastapi_clerk_auth import ClerkConfig, ClerkHTTPBearer, HTTPAuthorizationCredentials
from fastapi.responses import JSONResponse
from fastapi.encoders import jsonable_encoder
app = FastAPI()
# Use your Clerk JWKS endpoint
clerk_config = ClerkConfig(jwks_url="https://your-clerk-frontend-api.clerk.accounts.dev/.well-known/jwks.json")
clerk_auth_guard = ClerkHTTPBearer(config=clerk_config)
@app.get("/")
async def read_root(credentials: HTTPAuthorizationCredentials | None = Depends(clerk_auth_guard)):
return JSONResponse(content=jsonable_encoder(credentials))
The returned credentials model will be either None or an HTTPAuthorizationCredentials object with these properties:
scheme: Indicates the scheme of the Authorization header (Bearer)credentials: Raw token received from the Authorization headerdecoded: The payload of the decoded token
Configuration Options
Disabling Auto Errors
By default, the middleware automatically returns 403 errors if the token is missing or invalid. You can disable this behavior:
clerk_config = ClerkConfig(
jwks_url="https://your-clerk-frontend-api.clerk.accounts.dev/.well-known/jwks.json",
auto_error=False
)
This allows requests to reach the endpoint for additional logic or custom error handling:
@app.get("/protected")
async def protected_endpoint(credentials: HTTPAuthorizationCredentials | None = Depends(clerk_auth_guard)):
if not credentials:
return {"message": "You're not authenticated, but you can still see this limited data"}
# Full access for authenticated users
return {"message": "Full access granted", "user_data": credentials.decoded}
Adding Auth Data to Request State
You can have the HTTPAuthorizationCredentials added to the request state for easier access:
from fastapi import Depends, Request, APIRouter
from fastapi_clerk_auth import ClerkConfig, ClerkHTTPBearer, HTTPAuthorizationCredentials
from fastapi.responses import JSONResponse
from fastapi.encoders import jsonable_encoder
clerk_config = ClerkConfig(
jwks_url="https://your-clerk-frontend-api.clerk.accounts.dev/.well-known/jwks.json"
)
clerk_auth_guard = ClerkHTTPBearer(config=clerk_config, add_state=True)
router = APIRouter(prefix="/todo", dependencies=[Depends(clerk_auth_guard)])
@router.get("/")
async def read_todo_list(request: Request):
auth_data: HTTPAuthorizationCredentials = request.state.clerk_auth
user_id = auth_data.decoded.get("sub")
# Use user_id to fetch the user's todo items
return {"message": f"Todo items for user {user_id}"}
Advanced Usage
Role-Based Access Control
You can implement role-based access control by checking the JWT claims:
from fastapi import Depends, HTTPException, status
def admin_required(credentials: HTTPAuthorizationCredentials = Depends(clerk_auth_guard)):
if not credentials:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Not authenticated"
)
user_roles = credentials.decoded.get("roles", [])
if "admin" not in user_roles:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Admin permission required"
)
return credentials
@app.get("/admin", dependencies=[Depends(admin_required)])
async def admin_only():
return {"message": "Welcome, admin!"}
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
License
This project is licensed under the MIT License - see the LICENSE file for details.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file fastapi_clerk_auth-0.0.7.tar.gz.
File metadata
- Download URL: fastapi_clerk_auth-0.0.7.tar.gz
- Upload date:
- Size: 8.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.11.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9a6d1a92c6cf7265a3f512558d84b82996930cbe16602f2b0f19239b8eb2a2f4
|
|
| MD5 |
ce97a60dc767a385a92696aa0075404c
|
|
| BLAKE2b-256 |
966e03f69825b53d6ee5da14d9f3ab611c79bf6dd61de2b1302eaeb42036ceae
|
File details
Details for the file fastapi_clerk_auth-0.0.7-py3-none-any.whl.
File metadata
- Download URL: fastapi_clerk_auth-0.0.7-py3-none-any.whl
- Upload date:
- Size: 6.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.11.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4cb4e3b9b1744879d3e65903aedc2eeb0531b99e50844b05afca8de532a0ca49
|
|
| MD5 |
dba3c5c6a7b864e3d7a7c525f7034b0a
|
|
| BLAKE2b-256 |
03658e40515322b0aaf2b24d1bc92535214d42816b1bf53bff89e2106f1b3571
|
