Ship hackathon products fast with secure-by-default auth, RBAC, PostgreSQL readiness, and built-in LLM tooling.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for multiset from gravatar.com multiset

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Author: multiset
  • Requires: Python >=3.11
  • Provides-Extra: password , redis
Report project as malware

This project has been archived.

The maintainers of this project have marked this project as archived. No new releases are expected.

Project description

h4ckrth0n

Ship hackathon products fast, with secure-by-default auth, RBAC, Postgres readiness, and built-in LLM tooling.

h4ckrth0n is an opinionated Python library that makes it hard to accidentally ship insecure glue code during a hackathon.

What you get by default

  • API: FastAPI app bootstrap with OpenAPI docs
  • Auth: passkey (WebAuthn) registration and login – no passwords required
  • AuthZ: built-in RBAC with user and admin roles, plus scoped permissions via JWT claims
  • Database: SQLAlchemy 2.x + Alembic, works with SQLite (zero-config dev) and Postgres (recommended for production)
  • LLM: built-in LLM client wrapper (OpenAI SDK) with safe defaults and redaction hooks
  • Observability: opt-in LangSmith / OpenTelemetry tracing with trace ID propagation
  • Config: environment-driven settings via pydantic-settings

Password auth and Redis-based queues/caching are available as optional extras.

Installation

Recommended (uv)

uv add h4ckrth0n

Optional extras:

uv add "h4ckrth0n[password]"  # Argon2-based password auth (off by default)
uv add "h4ckrth0n[redis]"     # Redis support

pip

pip install h4ckrth0n

Quickstart

from h4ckrth0n import create_app

app = create_app()

Run:

uv run uvicorn your_module:app --reload

Open docs at /docs (Swagger UI). Passkey auth routes are mounted automatically.

Auth: passkeys by default

h4ckrth0n uses passkeys (WebAuthn) as the default authentication method. No passwords, no email required.

How it works

  1. Register: POST /auth/passkey/register/start → browser creates a passkey → POST /auth/passkey/register/finish → account created, tokens returned.
  2. Login: POST /auth/passkey/login/start → browser signs with passkey → POST /auth/passkey/login/finish → tokens returned. Username-less by default.
  3. Add passkey: authenticated users can add more passkeys via POST /auth/passkey/add/start + POST /auth/passkey/add/finish.
  4. Revoke passkey: POST /auth/passkeys/{key_id}/revoke – but cannot revoke the last active passkey (returns LAST_PASSKEY error).

ID scheme

  • User IDs: 32-char base32 string starting with u (e.g., u3mfgh7k2n4p5q6r7s8t9v0w1x2y3z4a)
  • Internal key IDs: 32-char base32 string starting with k
  • The browser's WebAuthn credentialId is stored separately and used for signature verification.

Secure-by-default endpoint protection

Protect an endpoint (requires a logged-in user):

from h4ckrth0n import create_app
from h4ckrth0n.auth import require_user

app = create_app()

@app.get("/me")
def me(user=require_user()):
    return {"id": user.id, "role": user.role}

Admin-only endpoint:

from h4ckrth0n.auth import require_admin

@app.get("/admin/dashboard")
def admin_dashboard(user=require_admin()):
    return {"ok": True}

Scoped privileges (JWT claim scopes):

from h4ckrth0n.auth import require_scopes

@app.post("/billing/refund")
def refund(user=require_scopes("billing:refund")):
    return {"status": "queued"}

Auth routes

h4ckrth0n mounts these routes by default:

Passkey (default)

  • POST /auth/passkey/register/start – begin passkey registration (creates account)
  • POST /auth/passkey/register/finish – complete registration (returns access + refresh tokens)
  • POST /auth/passkey/login/start – begin passkey login (username-less)
  • POST /auth/passkey/login/finish – complete login (returns access + refresh tokens)
  • POST /auth/passkey/add/start – begin adding a passkey (authenticated)
  • POST /auth/passkey/add/finish – complete adding a passkey (authenticated)
  • GET /auth/passkeys – list current user's passkeys (authenticated)
  • POST /auth/passkeys/{key_id}/revoke – revoke a passkey (authenticated, blocked if last)

Token management

  • POST /auth/refresh – rotate refresh token, get new access token
  • POST /auth/logout – revoke refresh token

Password auth (optional extra)

Only available when h4ckrth0n[password] is installed AND H4CKRTH0N_PASSWORD_AUTH_ENABLED=true:

  • POST /auth/register – create account with email + password
  • POST /auth/login – authenticate with email + password
  • POST /auth/password-reset/request – request password reset
  • POST /auth/password-reset/confirm – confirm password reset

Database

Zero-config default: SQLite is used if no database URL is provided.

To use Postgres (recommended for production):

H4CKRTH0N_DATABASE_URL=postgresql+psycopg://user:pass@host:5432/dbname

The psycopg[binary] driver is included by default – no extra install needed.

LLM

h4ckrth0n includes LLM tooling by default. Set OPENAI_API_KEY and use:

from h4ckrth0n.llm import llm

client = llm()
resp = client.chat(
    system="You are a helpful assistant.",
    user="Summarize this in one sentence: ...",
)
print(resp.text)

Fails gracefully with a clear error message when OPENAI_API_KEY is not set.

Configuration

Everything is environment-driven (prefix H4CKRTH0N_):

Variable Default Description
H4CKRTH0N_ENV development development or production
H4CKRTH0N_DATABASE_URL sqlite:///./h4ckrth0n.db Database connection string
H4CKRTH0N_AUTH_SIGNING_KEY (ephemeral in dev) JWT signing key (required in production)
H4CKRTH0N_RP_ID localhost (dev only) WebAuthn relying party ID (required in production)
H4CKRTH0N_ORIGIN http://localhost:8000 (dev only) WebAuthn expected origin (required in production)
H4CKRTH0N_WEBAUTHN_TTL_SECONDS 300 Challenge expiry time (seconds)
H4CKRTH0N_USER_VERIFICATION preferred WebAuthn user verification requirement
H4CKRTH0N_ATTESTATION none WebAuthn attestation preference
H4CKRTH0N_PASSWORD_AUTH_ENABLED false Enable password auth routes (requires [password] extra)
H4CKRTH0N_BOOTSTRAP_ADMIN_EMAILS [] JSON list of emails that get admin role on registration
H4CKRTH0N_FIRST_USER_IS_ADMIN false First registered user becomes admin (dev convenience)
OPENAI_API_KEY OpenAI API key for the LLM module

In development mode, missing signing keys and WebAuthn settings generate ephemeral/localhost defaults with warnings. In production mode, missing critical secrets and RP_ID/ORIGIN cause a hard error.

Observability (opt-in)

Enable end-to-end tracing across FastAPI requests, LangGraph nodes, tool calls, and LLM calls.

Enable LangSmith tracing

LANGSMITH_TRACING=true
LANGSMITH_API_KEY=...
LANGSMITH_PROJECT=your-project-name

Trace IDs

When observability is enabled, h4ckrth0n attaches X-Trace-Id to all responses:

from h4ckrth0n import create_app
from h4ckrth0n.obs import init_observability

app = create_app()
init_observability(app)

Development

git clone https://github.com/BTreeMap/h4ckrth0n.git
cd h4ckrth0n
uv sync
uv run pytest

Quality gates:

uv run ruff format --check .
uv run ruff check .
uv run mypy src
uv run pytest

Build:

uv build

License

MIT. See LICENSE.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for multiset from gravatar.com multiset

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Author: multiset
  • Requires: Python >=3.11
  • Provides-Extra: password , redis

Release history Release notifications | RSS feed

This version

0.1.1.dev20260210053526 pre-release

0.1.1.dev20260210051946 pre-release

0.1.1.dev20260210051214 pre-release

0.1.1.dev20260210050811 pre-release

0.1.1.dev20260210050016 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

h4ckrth0n-0.1.1.dev20260210053526.tar.gz (251.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

h4ckrth0n-0.1.1.dev20260210053526-py3-none-any.whl (29.0 kB view details)

Uploaded Python 3

File details

Details for the file h4ckrth0n-0.1.1.dev20260210053526.tar.gz.

File metadata

File hashes

Hashes for h4ckrth0n-0.1.1.dev20260210053526.tar.gz
Algorithm Hash digest
SHA256 4f631bc9d58811e3a96a8a4dc903fd625787331fd08731e6e87c745a42372abd
MD5 745e0d1afc803adcdc03a9fdf2f882f2
BLAKE2b-256 67eb9e3eade5a54ccf3976eba303807dbb549197d0cda67a21f812d99efefe8b

See more details on using hashes here.

Provenance

The following attestation bundles were made for h4ckrth0n-0.1.1.dev20260210053526.tar.gz:

Publisher: publish.yml on BTreeMap/h4ckrth0n

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file h4ckrth0n-0.1.1.dev20260210053526-py3-none-any.whl.

File metadata

File hashes

Hashes for h4ckrth0n-0.1.1.dev20260210053526-py3-none-any.whl
Algorithm Hash digest
SHA256 55628dcee08239419d0f38b3b812d5e3181914dabdafcf4348bde31cae31bcdf
MD5 b746fd46d91e1e6a185ed94b3b0a75a9
BLAKE2b-256 c8a58937958754627f9e284b4f2159f21bd916b3e26a96d3e85d19867495327a

See more details on using hashes here.

Provenance

The following attestation bundles were made for h4ckrth0n-0.1.1.dev20260210053526-py3-none-any.whl:

Publisher: publish.yml on BTreeMap/h4ckrth0n

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page