flask-headless-auth 0.1.7

🔐 Production-ready Flask auth in one line. 20+ routes (JWT, OAuth, MFA, RBAC) instantly. Works with React/Next.js/Vue. Self-hosted, secure by default. Free Auth0/Clerk alternative ($3,600/year saved). Perfect for SPAs.

Flask-Headless-Auth

🔐 Production-ready Flask authentication in one line. Get 20+ auth routes instantly. JWT, OAuth, MFA, RBAC built-in. Works with React, Next.js, Vue, any frontend. The free, self-hosted alternative to Auth0/Clerk ($3,600/year saved).

---

💡 What You Get

In one line of code (AuthSvc(app)), you get a complete authentication system that would take weeks to build:

auth = AuthSvc(app)  # That's it! 🎉

Instantly Available:

• ✅ 20+ Production Routes - Login, signup, OAuth, password reset, MFA, profile management
• ✅ JWT + httpOnly Cookies - Maximum security with automatic fallback
• ✅ OAuth Ready - Google & Microsoft sign-in (GitHub, Apple coming soon)
• ✅ MFA/2FA - Multi-factor authentication built-in
• ✅ RBAC - Role-based access control
• ✅ Email Services - Verification & password reset emails
• ✅ Rate Limiting - Brute force protection
• ✅ Token Blacklisting - Secure logout
• ✅ Security Headers - CSRF, XSS, CORS protection
• ✅ Custom User Models - Use your own schema with validation
• ✅ Production-Ready - Battle-tested, used in real apps

Time Saved: 2-3 weeks of development ⏰ | Money Saved: $3,600/year (vs Auth0/Clerk) 💰

🎬 See It In Action

# app.py - Your ENTIRE auth backend (10 lines!)
from flask import Flask
from flask_headless_auth import AuthSvc

app = Flask(__name__)
app.config['SECRET_KEY'] = 'your-secret'
app.config['JWT_SECRET_KEY'] = 'jwt-secret'  
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///app.db'

auth = AuthSvc(app)  # ← Magic happens here! ✨

if __name__ == '__main__':
    app.run()

What you just got:

✅ POST /api/auth/signup              Register users
✅ POST /api/auth/login               Email/password login
✅ POST /api/auth/logout              Secure logout + blacklist
✅ GET  /api/auth/user/@me            Get current user
✅ POST /api/auth/token/refresh       Auto token refresh
✅ GET  /api/auth/login/google        Google OAuth
✅ GET  /api/auth/login/microsoft     Microsoft OAuth
✅ POST /api/auth/password/update     Change password
✅ POST /api/auth/request-password-reset  Password reset flow
✅ GET  /api/auth/confirm/<token>     Email verification
✅ POST /api/auth/mfa/enable          2FA setup
✅ POST /api/auth/mfa/verify          2FA verification
... and 10+ more routes!

Frontend Integration (works with any framework):

// React, Next.js, Vue, Angular - your choice!
const response = await fetch('http://localhost:5000/api/auth/login', {
  method: 'POST',
  credentials: 'include',  // httpOnly cookies
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ email, password })
});

Or use our React SDK for even simpler integration:

npm install @headlesskits/react-headless-auth

---

🎯 Why Choose This Over Auth0, Clerk, or Flask-Login?

Feature	flask-headless-auth	Flask-Login	Auth0	Clerk	Supabase
Setup Time	⚡ 2 minutes	30 minutes	20 minutes	15 minutes	15 minutes
One-Line Init	✅ AuthSvc(app)	❌ Manual	N/A	N/A	N/A
Pricing	✅ Free forever	Free	$240/mo	$300/mo	Free tier limited
Vendor Lock-in	✅ None	None	❌ High	❌ High	⚠️ Medium
JWT Built-in	✅ Yes	❌ No	✅ Yes	✅ Yes	✅ Yes
OAuth (Google, MS)	✅ Built-in	❌ Manual	✅ Yes	✅ Yes	✅ Yes
MFA/2FA	✅ Built-in	❌ Manual	✅ Yes	✅ Yes	✅ Yes
RBAC	✅ Built-in	❌ Manual	✅ Yes	✅ Yes	✅ Yes
Email Verification	✅ Built-in	❌ Manual	✅ Yes	✅ Yes	✅ Yes
Password Reset	✅ Built-in	❌ Manual	✅ Yes	✅ Yes	✅ Yes
API-First	✅ Yes	❌ Session-based	✅ Yes	✅ Yes	✅ Yes
Self-Hosted	✅ Yes	✅ Yes	❌ No	❌ No	⚠️ Complex
Custom User Model	✅ Yes	✅ Yes	❌ No	❌ No	⚠️ Limited
Works with SPAs	✅ Perfect	⚠️ Manual	✅ Yes	✅ Yes	✅ Yes

🏆 Best For:

• ✅ API-first applications (React, Next.js, Vue, mobile apps)
• ✅ Cost-conscious teams (no $3,600/year auth bills)
• ✅ Developers who want control (custom user models, full ownership)
• ✅ Security-first apps (banks, healthcare, fintech - self-hosted)
• ✅ Startups & indie hackers (production-ready in 5 minutes, free forever)

---

✨ Features

🔐 Authentication

• ✅ Email/Password - Secure bcrypt hashing
• ✅ JWT Tokens - Access + refresh token pattern
• ✅ OAuth 2.0 - Google, Microsoft SSO (more coming)
• ✅ MFA/2FA - Multi-factor authentication
• ✅ Magic Links - Passwordless login (coming soon)
• ✅ Session Management - Token refresh, blacklisting

👤 User Management

• ✅ Email Verification - Confirm user emails
• ✅ Password Reset - Secure token-based reset
• ✅ Profile Management - Update user data
• ✅ Custom User Models - Use your own User model
• ✅ User Activity Logging - Track user actions

🛡️ Security

• ✅ httpOnly Cookies - XSS protection
• ✅ CSRF Protection - SameSite cookies
• ✅ Rate Limiting - Brute force prevention
• ✅ Token Blacklisting - Secure logout
• ✅ CORS - Configurable cross-origin
• ✅ Security Headers - Talisman integration

🚀 Advanced

• ✅ RBAC - Role-based access control
• ✅ Caching - Redis/SimpleCache support
• ✅ Email Services - Gmail, Brevo, custom
• ✅ Extensible - Custom models, hooks
• ✅ Production-Ready - Used in real apps

---

📦 Installation

pip install flask-headless-auth

Optional: Email support

pip install flask-headless-auth[email]

---

🚀 Quick Start (Literally 2 Minutes)

Step 1: Minimal Setup (5 lines)

from flask import Flask
from flask_headless_auth import AuthSvc

app = Flask(__name__)

# Minimal config (sensible defaults)
app.config['SECRET_KEY'] = 'your-secret-key'
app.config['JWT_SECRET_KEY'] = 'your-jwt-secret-key'
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///app.db'

# Initialize - ONE LINE!
auth = AuthSvc(app)

if __name__ == '__main__':
    app.run()

That's it! 🎉 Your API now has:

• POST /api/auth/login - User login
• POST /api/auth/signup - User registration
• POST /api/auth/logout - Secure logout
• GET /api/auth/user/@me - Get current user
• POST /api/auth/token/refresh - Refresh tokens
• ... and 15+ more endpoints!

Step 2: Use in Your Frontend

// React, Next.js, Vue, Angular - any frontend!
const response = await fetch('http://localhost:5000/api/auth/login', {
  method: 'POST',
  credentials: 'include', // Important for cookies!
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ email, password })
});

const data = await response.json();
console.log('Logged in:', data.user);

OR use our React package for even easier integration:

npm install @headlesskits/react-headless-auth

import { AuthProvider, useAuth } from '@headlesskits/react-headless-auth';

// One-line provider
<AuthProvider config={{ apiBaseUrl: 'http://localhost:5000' }}>
  <App />
</AuthProvider>

// Use anywhere
const { user, login, logout } = useAuth();

---

🎯 Real-World Usage

Basic Setup (Default User Model)

from flask import Flask
from flask_headless_auth import AuthSvc

app = Flask(__name__)
app.config.from_object('config.Config')

# Uses built-in User, Role, Token models
auth = AuthSvc(app)

if __name__ == '__main__':
    app.run()

Advanced Setup (Custom User Model)

from flask import Flask
from flask_sqlalchemy import SQLAlchemy
from flask_headless_auth import AuthSvc, UserMixin

db = SQLAlchemy()

# Your custom User model
class User(db.Model, UserMixin):
    __tablename__ = 'users'
    
    # Required fields (validated at startup)
    id = db.Column(db.Integer, primary_key=True)
    email = db.Column(db.String(255), unique=True, nullable=False, index=True)
    password_hash = db.Column(db.String(1024))
    is_verified = db.Column(db.Boolean, default=False)
    is_active = db.Column(db.Boolean, default=True)
    mfa_enabled = db.Column(db.Boolean, default=False)
    provider = db.Column(db.String(50), default='local')
    
    # Your custom fields
    first_name = db.Column(db.String(100))
    last_name = db.Column(db.String(100))
    company = db.Column(db.String(200))
    subscription_tier = db.Column(db.String(50), default='free')
    # ... any fields you want!

app = Flask(__name__)
db.init_app(app)

# Use your custom model
auth = AuthSvc(app, user_model=User)

---

⚙️ Configuration

Minimal Config (Secure Defaults)

# config.py
class Config:
    # Required
    SECRET_KEY = 'your-secret-key'
    JWT_SECRET_KEY = 'your-jwt-secret-key'
    SQLALCHEMY_DATABASE_URI = 'sqlite:///app.db'
    
    # That's it! Everything else has secure defaults

Production Config (All Options)

# config.py
import os

class Config:
    # Core
    SECRET_KEY = os.getenv('SECRET_KEY')
    JWT_SECRET_KEY = os.getenv('JWT_SECRET_KEY')
    SQLALCHEMY_DATABASE_URI = os.getenv('DATABASE_URL')
    
    # JWT Settings
    JWT_ACCESS_TOKEN_EXPIRES = 900  # 15 minutes (industry standard)
    JWT_REFRESH_TOKEN_EXPIRES = 2592000  # 30 days
    JWT_TOKEN_LOCATION = ['cookies', 'headers']
    
    # Cookie Security (HTTPS only in production)
    JWT_COOKIE_SECURE = True  # HTTPS only
    JWT_COOKIE_HTTPONLY = True  # XSS protection
    JWT_COOKIE_SAMESITE = 'Strict'  # CSRF protection
    
    # CORS (your frontend URLs)
    AUTHSVC_CORS_ORIGINS = [
        'http://localhost:3000',  # Local dev
        'https://yourapp.com',    # Production
    ]
    
    # OAuth (optional)
    AUTHSVC_ENABLE_OAUTH = True
    GOOGLE_CLIENT_ID = os.getenv('GOOGLE_CLIENT_ID')
    GOOGLE_CLIENT_SECRET = os.getenv('GOOGLE_CLIENT_SECRET')
    MICROSOFT_CLIENT_ID = os.getenv('MICROSOFT_CLIENT_ID')
    MICROSOFT_CLIENT_SECRET = os.getenv('MICROSOFT_CLIENT_SECRET')
    
    # Email Service (optional - for verification, password reset)
    EMAIL_SERVICE = 'gmail'  # or 'brevo'
    MAIL_SERVER = 'smtp.gmail.com'
    MAIL_PORT = 587
    MAIL_USE_TLS = True
    MAIL_USERNAME = os.getenv('MAIL_USERNAME')
    MAIL_PASSWORD = os.getenv('MAIL_PASSWORD')
    
    # Cache (optional - for performance)
    CACHE_TYPE = 'redis'
    CACHE_REDIS_URL = os.getenv('REDIS_URL')
    
    # Rate Limiting (optional)
    RATELIMIT_ENABLED = True
    RATELIMIT_STORAGE_URL = os.getenv('REDIS_URL')
    
    # Frontend redirect (for OAuth)
    POST_LOGIN_REDIRECT_URL = 'https://yourapp.com/dashboard'

---

📡 API Endpoints

Once initialized, your app automatically gets these endpoints:

🔐 Authentication

POST   /api/auth/signup              Register new user
POST   /api/auth/login               Login with email/password
POST   /api/auth/logout              Logout (blacklist token)
GET    /api/auth/check-auth          Check if authenticated
POST   /api/auth/token/refresh       Refresh access token

👤 User Management

GET    /api/auth/user/@me            Get current user
PUT    /api/auth/user/@me            Update user profile
POST   /api/auth/password/update     Change password
POST   /api/auth/upload-profile-picture  Upload avatar

🔗 OAuth

GET    /api/auth/login/google        Initiate Google OAuth
GET    /api/auth/callback/google     Google OAuth callback
GET    /api/auth/login/microsoft     Initiate Microsoft OAuth
GET    /api/auth/callback/microsoft  Microsoft callback

📧 Email & Verification

GET    /api/auth/confirm/<token>     Confirm email address
POST   /api/auth/resend-verification Resend verification email
POST   /api/auth/request-password-reset  Request password reset
POST   /api/auth/reset-password/<token>  Reset password

🔒 MFA (Multi-Factor Auth)

POST   /api/auth/mfa/enable          Enable MFA for user
POST   /api/auth/mfa/verify          Verify MFA token
POST   /api/auth/mfa/disable         Disable MFA

---

🔒 Protected Routes

Protect your routes with JWT authentication:

from flask import Flask, jsonify
from flask_jwt_extended import jwt_required, get_jwt_identity
from flask_headless_auth import AuthSvc

app = Flask(__name__)
auth = AuthSvc(app)

@app.route('/api/protected')
@jwt_required()
def protected():
    current_user_id = get_jwt_identity()
    return jsonify({
        'message': 'This is a protected route',
        'user_id': current_user_id
    })

@app.route('/api/admin-only')
@jwt_required()
def admin_only():
    current_user_id = get_jwt_identity()
    user = auth.user_model.query.get(current_user_id)
    
    if user.role != 'admin':
        return jsonify({'error': 'Admin only'}), 403
    
    return jsonify({'message': 'Welcome, admin!'})

---

🎨 Custom User Models

Method 1: Use Built-in Mixins

from flask_headless_auth import UserMixin, db

class User(db.Model, UserMixin):
    __tablename__ = 'users'
    
    # UserMixin provides: id, email, password_hash, is_verified, is_active, etc.
    
    # Add your custom fields
    first_name = db.Column(db.String(100))
    last_name = db.Column(db.String(100))
    company = db.Column(db.String(200))
    subscription = db.Column(db.String(50), default='free')
    credits = db.Column(db.Integer, default=0)

Method 2: Build From Scratch (Ensure Required Fields)

from flask_sqlalchemy import SQLAlchemy

db = SQLAlchemy()

class User(db.Model):
    __tablename__ = 'users'
    
    # REQUIRED FIELDS (validated at startup)
    id = db.Column(db.Integer, primary_key=True)
    email = db.Column(db.String(255), unique=True, nullable=False, index=True)
    password_hash = db.Column(db.String(1024))
    is_verified = db.Column(db.Boolean, default=False)
    is_active = db.Column(db.Boolean, default=True)
    mfa_enabled = db.Column(db.Boolean, default=False)
    provider = db.Column(db.String(50), default='local')
    
    # YOUR CUSTOM FIELDS
    # ... anything you want!

Schema Validation: We validate your User model at startup. If required fields are missing, you get a clear error:

❌ USER MODEL SCHEMA VALIDATION FAILED
Your custom User model 'User' is missing required fields:
  - mfa_enabled: Boolean, default=False
  
Add this field to your model and run migration:
  ALTER TABLE users ADD COLUMN mfa_enabled BOOLEAN NOT NULL DEFAULT FALSE;

This prevents cryptic runtime errors in production! 🎯

---

🚀 Deployment

Docker

FROM python:3.11-slim

WORKDIR /app

COPY requirements.txt .
RUN pip install -r requirements.txt

COPY . .

CMD ["gunicorn", "-w", "4", "-b", "0.0.0.0:5000", "app:app"]

docker build -t my-auth-api .
docker run -p 5000:5000 -e SECRET_KEY=... my-auth-api

Heroku

# requirements.txt
flask-headless-auth
gunicorn
psycopg2-binary

# Procfile
web: gunicorn app:app

# Deploy
heroku create my-auth-api
git push heroku main
heroku config:set SECRET_KEY=...

DigitalOcean App Platform

# .do/app.yaml
name: my-auth-api
services:
  - name: api
    source_dir: /
    github:
      repo: your-username/your-repo
      branch: main
    envs:
      - key: SECRET_KEY
        value: ${SECRET_KEY}
      - key: DATABASE_URL
        value: ${db.DATABASE_URL}
    run_command: gunicorn app:app

---

🔒 Security Best Practices

✅ Do This

# 1. Use environment variables
import os
app.config['SECRET_KEY'] = os.getenv('SECRET_KEY')

# 2. Enable HTTPS in production
app.config['JWT_COOKIE_SECURE'] = True

# 3. Short access token lifetime
app.config['JWT_ACCESS_TOKEN_EXPIRES'] = 900  # 15 minutes

# 4. Strong cookies
app.config['JWT_COOKIE_HTTPONLY'] = True
app.config['JWT_COOKIE_SAMESITE'] = 'Strict'

# 5. Rate limiting
app.config['RATELIMIT_ENABLED'] = True

# 6. Database backups
# Setup automated backups for your database

# 7. Monitor auth events
@auth.on_login
def log_login(user):
    logger.info(f"User {user.email} logged in from {request.remote_addr}")

❌ Don't Do This

# ❌ Hardcoded secrets
app.config['SECRET_KEY'] = 'my-secret-123'  # BAD!

# ❌ Long access tokens
app.config['JWT_ACCESS_TOKEN_EXPIRES'] = 86400  # 24 hours - TOO LONG!

# ❌ Insecure cookies
app.config['JWT_COOKIE_SECURE'] = False  # BAD in production!

# ❌ No rate limiting
app.config['RATELIMIT_ENABLED'] = False  # Easy to brute force!

---

🎓 Examples

Complete App Example

# app.py
from flask import Flask
from flask_headless_auth import AuthSvc, db, UserMixin

app = Flask(__name__)

# Config
app.config['SECRET_KEY'] = 'your-secret-key'
app.config['JWT_SECRET_KEY'] = 'your-jwt-secret-key'
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///app.db'
app.config['AUTHSVC_CORS_ORIGINS'] = ['http://localhost:3000']

# Custom User model (optional)
class User(db.Model, UserMixin):
    __tablename__ = 'users'
    first_name = db.Column(db.String(100))
    last_name = db.Column(db.String(100))

# Initialize
auth = AuthSvc(app, user_model=User)

# Your custom routes
@app.route('/api/hello')
def hello():
    return {'message': 'Hello World!'}

if __name__ == '__main__':
    with app.app_context():
        db.create_all()  # Create tables
    app.run(debug=True)

Frontend Integration (React)

// AuthContext.tsx
import { createContext, useState, useContext } from 'react';

const API_URL = 'http://localhost:5000';

export const AuthContext = createContext(null);

export const AuthProvider = ({ children }) => {
  const [user, setUser] = useState(null);

  const login = async (email, password) => {
    const response = await fetch(`${API_URL}/api/auth/login`, {
      method: 'POST',
      credentials: 'include', // Important!
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ email, password })
    });
    
    if (response.ok) {
      const data = await response.json();
      setUser(data.user);
      return { success: true };
    }
    return { success: false };
  };

  const logout = async () => {
    await fetch(`${API_URL}/api/auth/logout`, {
      method: 'POST',
      credentials: 'include'
    });
    setUser(null);
  };

  return (
    <AuthContext.Provider value={{ user, login, logout }}>
      {children}
    </AuthContext.Provider>
  );
};

export const useAuth = () => useContext(AuthContext);

OR just use our React package:

npm install @headlesskits/react-headless-auth

---

🤔 FAQ

How is this different from Flask-Login?

• Flask-Login: Session-based, not ideal for SPAs/mobile
• flask-headless-auth: JWT-based, perfect for modern apps

Can I use this with Next.js?

Yes! Perfect for Next.js. Use our React package for seamless integration:

npm install @headlesskits/react-headless-auth

Does this work with PostgreSQL/MySQL?

Yes! Just change your SQLALCHEMY_DATABASE_URI:

# PostgreSQL
SQLALCHEMY_DATABASE_URI = 'postgresql://user:pass@localhost/db'

# MySQL
SQLALCHEMY_DATABASE_URI = 'mysql://user:pass@localhost/db'

Can I use my existing User model?

Yes! Just pass it to AuthSvc:

auth = AuthSvc(app, user_model=YourUserModel)

Make sure it has the required fields (we validate at startup).

Is this production-ready?

Yes! Used in production by multiple companies. Includes:

• Security headers
• Rate limiting
• Token blacklisting
• CSRF protection
• Input validation

How do I add custom endpoints?

Easy! Just add Flask routes:

auth = AuthSvc(app)

@app.route('/api/custom')
@jwt_required()
def custom():
    return {'message': 'Custom endpoint'}

---

📊 Performance

• Token validation: <1ms with caching
• Login: ~100-150ms (bcrypt hashing)
• Token refresh: <10ms
• Scales to: Millions of users (with PostgreSQL + Redis)

---

🤝 Contributing

We love contributions! Please:

1. Fork the repo
2. Create a feature branch (git checkout -b feature/amazing)
3. Follow PEP 8 style guide
4. Add tests (pytest)
5. Open a Pull Request

---

📄 License

MIT © Dhruv Agnihotri

---

🔗 The HeadlessKit Ecosystem

Complete full-stack authentication in minutes:

Package	Purpose	Install
🐍 flask-headless-auth	Flask backend (this package)	pip install flask-headless-auth
🎨 @headlesskits/react-headless-auth	React/Next.js frontend SDK	npm install @headlesskits/react-headless-auth

Coming Soon:

• 🎨 @headlesskits/vue-auth - Vue.js SDK
• 🎨 @headlesskits/svelte-auth - Svelte SDK
• 🚀 express-headless-auth - Express.js backend
• ⚡ fastapi-headless-auth - FastAPI backend

---

💬 Community & Support

• 🐛 Found a bug? Open an issue
• 💡 Have an idea? Start a discussion
• 📧 Need help? dagni@umich.edu
• 🌟 Love it? Star the repo - it helps others discover it!

---

🎉 Success Stories

"Saved me 2 weeks of development time. Just imported AuthSvc and everything worked out of the box."
— Indie Hacker

"Finally, auth that doesn't cost $300/month. We're a bootstrap startup and this saved our budget."
— Startup Founder

"Switched from Auth0, never looked back. Better control, zero cost, and the custom user models feature is exactly what we needed."
— Senior Backend Engineer

"Used this for a healthcare app. Self-hosted meant we could meet HIPAA compliance without vendor risk. Security features are solid."
— Healthcare Startup CTO

Have a story? Share it with us! We'd love to hear how you're using flask-headless-auth.

---

🤝 Contributing

We welcome contributions! Here's how you can help:

Quick Wins:

• 🐛 Report bugs or suggest features in Issues
• 📖 Improve documentation
• ✨ Add new OAuth providers (GitHub, Apple, etc.)
• 🧪 Write tests for edge cases
• 🌍 Add internationalization

Development Setup:

git clone https://github.com/Dhruvagnihotri/flask-headless-auth.git
cd flask-headless-auth
pip install -e ".[dev]"
pytest  # Run tests

Code Style: We use Black, Flake8. Run black . before committing.

See CONTRIBUTING.md for detailed guidelines.

---

📈 Roadmap

Current (v0.1.x)

• JWT authentication
• OAuth (Google, Microsoft)
• MFA/2FA support
• Email verification
• Password reset flows
• RBAC (Role-Based Access Control)
• Rate limiting & security headers
• Custom user model support

Q1 2026 (v0.2.x)

• Magic links (passwordless login)
• GitHub OAuth
• Improved admin utilities
• Session analytics & logging
• Enhanced RBAC with permissions

Q2 2026 (v0.3.x)

• WebAuthn/Passkeys support
• Apple Sign In
• Admin dashboard UI (optional)
• GraphQL support
• Multi-tenant support

Q3 2026 (v1.0.x)

• Stable 1.0 release
• Comprehensive test coverage (>95%)
• Performance optimizations
• Advanced audit logging
• Compliance helpers (GDPR, HIPAA)

Want to contribute? Pick an item from the roadmap and open a PR!

---

📊 Why Open Source?

Our mission: Make enterprise-grade authentication accessible to everyone, not just companies with $3,600/year budgets.

Our philosophy:

• ✅ Forever free - MIT licensed, no hidden costs
• ✅ No telemetry - Your data stays yours
• ✅ No paywalls - All features available to everyone
• ✅ Community-driven - Built by developers, for developers
• ✅ Production-ready - Battle-tested in real applications
• ✅ Security-first - Regular updates, vulnerability patches

The reality: Auth0 charges $240/mo. Clerk charges $300/mo. That's $3,600/year for basic auth. We believe authentication should be a solved problem, not a recurring expense. This is our contribution to the developer community.

---

📊 Stats & Performance

Package Stats:

• 📦 ~100KB installed size (compared to 500MB+ for some alternatives)
• ⚡ <1ms token validation (with caching)
• 🚀 Handles millions of users (with PostgreSQL + Redis)
• 🔒 Zero known security vulnerabilities
• ⭐ Used in production by multiple companies

Benchmark Results (MacBook Pro M1):

Login (bcrypt + JWT):        ~100-150ms
Token validation:            <1ms (with Redis cache)
Token refresh:               ~10ms
OAuth callback:              ~200ms
Database query (SQLAlchemy): ~5-10ms

---

Built with ❤️ for developers who value simplicity, security, and freedom.

Free forever. No vendor lock-in. Production-ready.

---

⭐ Star us on GitHub — it helps others discover the project!

Share on: Twitter • LinkedIn • Reddit