Ship hackathon products fast with secure-by-default auth, RBAC, PostgreSQL readiness, and built-in LLM tooling.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for multiset from gravatar.com multiset

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Author: multiset
  • Requires: Python >=3.11
  • Provides-Extra: password , redis
Report project as malware

This project has been archived.

The maintainers of this project have marked this project as archived. No new releases are expected.

Project description

h4ckrth0n

Ship hackathon products fast, with secure-by-default auth, RBAC, Postgres readiness, and built-in LLM tooling.

h4ckrth0n is an opinionated Python library that makes it hard to accidentally ship insecure glue code during a hackathon.

What you get by default

  • API: FastAPI app bootstrap with OpenAPI docs
  • Auth: passkey (WebAuthn) registration and login – no passwords required
  • AuthZ: built-in RBAC with user and admin roles, plus scoped permissions via JWT claims
  • Database: SQLAlchemy 2.x + Alembic, works with SQLite (zero-config dev) and Postgres (recommended for production)
  • LLM: built-in LLM client wrapper (OpenAI SDK) with safe defaults and redaction hooks
  • Observability: opt-in LangSmith / OpenTelemetry tracing with trace ID propagation
  • Config: environment-driven settings via pydantic-settings

Password auth and Redis-based queues/caching are available as optional extras.

Installation

Recommended (uv)

uv add h4ckrth0n

Optional extras:

uv add "h4ckrth0n[password]"  # Argon2-based password auth (off by default)
uv add "h4ckrth0n[redis]"     # Redis support

pip

pip install h4ckrth0n

Quickstart

from h4ckrth0n import create_app

app = create_app()

Run:

uv run uvicorn your_module:app --reload

Open docs at /docs (Swagger UI). Passkey auth routes are mounted automatically.

Auth: passkeys by default

h4ckrth0n uses passkeys (WebAuthn) as the default authentication method. No passwords, no email required.

How it works

  1. Register: POST /auth/passkey/register/start → browser creates a passkey → POST /auth/passkey/register/finish → account created, tokens returned.
  2. Login: POST /auth/passkey/login/start → browser signs with passkey → POST /auth/passkey/login/finish → tokens returned. Username-less by default.
  3. Add passkey: authenticated users can add more passkeys via POST /auth/passkey/add/start + POST /auth/passkey/add/finish.
  4. Revoke passkey: POST /auth/passkeys/{key_id}/revoke – but cannot revoke the last active passkey (returns LAST_PASSKEY error).

ID scheme

  • User IDs: 32-char base32 string starting with u (e.g., u3mfgh7k2n4p5q6r7s8t9v0w1x2y3z4a)
  • Internal key IDs: 32-char base32 string starting with k
  • The browser's WebAuthn credentialId is stored separately and used for signature verification.

Secure-by-default endpoint protection

Protect an endpoint (requires a logged-in user):

from h4ckrth0n import create_app
from h4ckrth0n.auth import require_user

app = create_app()

@app.get("/me")
def me(user=require_user()):
    return {"id": user.id, "role": user.role}

Admin-only endpoint:

from h4ckrth0n.auth import require_admin

@app.get("/admin/dashboard")
def admin_dashboard(user=require_admin()):
    return {"ok": True}

Scoped privileges (JWT claim scopes):

from h4ckrth0n.auth import require_scopes

@app.post("/billing/refund")
def refund(user=require_scopes("billing:refund")):
    return {"status": "queued"}

Auth routes

h4ckrth0n mounts these routes by default:

Passkey (default)

  • POST /auth/passkey/register/start – begin passkey registration (creates account)
  • POST /auth/passkey/register/finish – complete registration (returns access + refresh tokens)
  • POST /auth/passkey/login/start – begin passkey login (username-less)
  • POST /auth/passkey/login/finish – complete login (returns access + refresh tokens)
  • POST /auth/passkey/add/start – begin adding a passkey (authenticated)
  • POST /auth/passkey/add/finish – complete adding a passkey (authenticated)
  • GET /auth/passkeys – list current user's passkeys (authenticated)
  • POST /auth/passkeys/{key_id}/revoke – revoke a passkey (authenticated, blocked if last)

Token management

  • POST /auth/refresh – rotate refresh token, get new access token
  • POST /auth/logout – revoke refresh token

Password auth (optional extra)

Only available when h4ckrth0n[password] is installed AND H4CKRTH0N_PASSWORD_AUTH_ENABLED=true:

  • POST /auth/register – create account with email + password
  • POST /auth/login – authenticate with email + password
  • POST /auth/password-reset/request – request password reset
  • POST /auth/password-reset/confirm – confirm password reset

Database

Zero-config default: SQLite is used if no database URL is provided.

To use Postgres (recommended for production):

H4CKRTH0N_DATABASE_URL=postgresql+psycopg://user:pass@host:5432/dbname

The psycopg[binary] driver is included by default – no extra install needed.

LLM

h4ckrth0n includes LLM tooling by default. Set OPENAI_API_KEY and use:

from h4ckrth0n.llm import llm

client = llm()
resp = client.chat(
    system="You are a helpful assistant.",
    user="Summarize this in one sentence: ...",
)
print(resp.text)

Fails gracefully with a clear error message when OPENAI_API_KEY is not set.

Configuration

Everything is environment-driven (prefix H4CKRTH0N_):

Variable Default Description
H4CKRTH0N_ENV development development or production
H4CKRTH0N_DATABASE_URL sqlite:///./h4ckrth0n.db Database connection string
H4CKRTH0N_AUTH_SIGNING_KEY (ephemeral in dev) JWT signing key (required in production)
H4CKRTH0N_RP_ID localhost (dev only) WebAuthn relying party ID (required in production)
H4CKRTH0N_ORIGIN http://localhost:8000 (dev only) WebAuthn expected origin (required in production)
H4CKRTH0N_WEBAUTHN_TTL_SECONDS 300 Challenge expiry time (seconds)
H4CKRTH0N_USER_VERIFICATION preferred WebAuthn user verification requirement
H4CKRTH0N_ATTESTATION none WebAuthn attestation preference
H4CKRTH0N_PASSWORD_AUTH_ENABLED false Enable password auth routes (requires [password] extra)
H4CKRTH0N_BOOTSTRAP_ADMIN_EMAILS [] JSON list of emails that get admin role on registration
H4CKRTH0N_FIRST_USER_IS_ADMIN false First registered user becomes admin (dev convenience)
OPENAI_API_KEY OpenAI API key for the LLM module

In development mode, missing signing keys and WebAuthn settings generate ephemeral/localhost defaults with warnings. In production mode, missing critical secrets and RP_ID/ORIGIN cause a hard error.

Observability (opt-in)

Enable end-to-end tracing across FastAPI requests, LangGraph nodes, tool calls, and LLM calls.

Enable LangSmith tracing

LANGSMITH_TRACING=true
LANGSMITH_API_KEY=...
LANGSMITH_PROJECT=your-project-name

Trace IDs

When observability is enabled, h4ckrth0n attaches X-Trace-Id to all responses:

from h4ckrth0n import create_app
from h4ckrth0n.obs import init_observability

app = create_app()
init_observability(app)

Development

git clone https://github.com/BTreeMap/h4ckrth0n.git
cd h4ckrth0n
uv sync
uv run pytest

Quality gates:

uv run ruff format --check .
uv run ruff check .
uv run mypy src
uv run pytest

Build:

uv build

License

MIT. See LICENSE.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for multiset from gravatar.com multiset

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Author: multiset
  • Requires: Python >=3.11
  • Provides-Extra: password , redis

Release history Release notifications | RSS feed

0.1.1.dev20260210053526 pre-release

This version

0.1.1.dev20260210051946 pre-release

0.1.1.dev20260210051214 pre-release

0.1.1.dev20260210050811 pre-release

0.1.1.dev20260210050016 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

h4ckrth0n-0.1.1.dev20260210051946.tar.gz (251.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

h4ckrth0n-0.1.1.dev20260210051946-py3-none-any.whl (29.0 kB view details)

Uploaded Python 3

File details

Details for the file h4ckrth0n-0.1.1.dev20260210051946.tar.gz.

File metadata

File hashes

Hashes for h4ckrth0n-0.1.1.dev20260210051946.tar.gz
Algorithm Hash digest
SHA256 c0044ca3a06f412adba59a33904d3107e89c6ff8ca888ff4b8c1ff1bed6b04e6
MD5 4236589b2b5d0e69040283df9a884d0d
BLAKE2b-256 a469246a6ccc831ec7da5a16eb7b0793c3357f149f7bd21e2137cedf4affc403

See more details on using hashes here.

Provenance

The following attestation bundles were made for h4ckrth0n-0.1.1.dev20260210051946.tar.gz:

Publisher: publish.yml on BTreeMap/h4ckrth0n

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file h4ckrth0n-0.1.1.dev20260210051946-py3-none-any.whl.

File metadata

File hashes

Hashes for h4ckrth0n-0.1.1.dev20260210051946-py3-none-any.whl
Algorithm Hash digest
SHA256 14351d50812a6c0a63902612bdb41fc40ad194fa048fcda407b8ad40bb490291
MD5 373de97d6f8221c3a0b49c5866a9c295
BLAKE2b-256 542a03b67c426e1a61ff17e8411b0bace70662741a4c57e1143f6b259ca29241

See more details on using hashes here.

Provenance

The following attestation bundles were made for h4ckrth0n-0.1.1.dev20260210051946-py3-none-any.whl:

Publisher: publish.yml on BTreeMap/h4ckrth0n

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page