Skip to main content

Shared client for verifying API keys against the central admin key server.

Project description

keyverify

Shared client for verifying API keys against the central admin key server (admin-platform /internal/verify-key). Used by every service instance (asr, ocr, agent, ...) so key verification logic lives in one place.

Use

from keyverify import KeyVerifier

verifier = KeyVerifier(
    verify_url="https://admin.internal/internal/verify-key",
    service_token="tok_asr_xxx",   # this instance's X-Service-Token
    scope="cust-A",                # the customer this instance serves (optional)
    cache_ttl=300,                 # cache a result for 5 min
    fail_open=False,               # if central is down and nothing cached: deny
)

result = verifier.verify(incoming_api_key)
if result.valid:
    client, tenant = result.client, result.tenant
else:
    ...  # reject with 401; result.reason explains why

Behavior

  • Cache: a verified key is cached for cache_ttl seconds, so the central server is not hit on every request, and a revocation takes effect within that window.
  • Outage tolerance: if the central server is unreachable, a cached result is still honored. With no cached result, fail_open decides allow vs deny (default deny).
  • Scope: when scope is set, the server rejects keys belonging to other customers (returns valid=false, reason="scope_mismatch").

Install (per service)

Each service adds this as a dependency (path, git, or internal index). E.g. in a service's pyproject:

dependencies = ["keyverify @ file:///path/to/key-verify-client"]

Development

Install the project and its development tools:

python -m pip install -e ".[dev]"
npm ci
pre-commit install
pre-commit install --hook-type commit-msg
pre-commit install --hook-type pre-push

Run the same checks used by GitHub Actions:

pre-commit run --all-files
pytest --cov=keyverify --cov-report=term-missing --cov-fail-under=90
python -m build
python -m twine check dist/*

Automated releases

The repository uses Conventional Commits and semantic-release.

  • Pull requests and feature branches run linting, type checking, tests, coverage, wheel/source-distribution builds, and package metadata checks.
  • Commits pushed to dev create a prerelease such as 0.2.0-dev.1. The corresponding Python distribution version is normalized to 0.2.0.dev1 and attached to the GitHub prerelease.
  • Commits pushed to main create a stable GitHub release and publish the wheel and source distribution to PyPI.
  • After a stable release, the workflow merges main back into dev.

Required GitHub and PyPI settings

  1. Keep the existing package-lock.json committed because the workflows use npm ci.
  2. Create a GitHub Environment named pypi.
  3. In the PyPI project, add a GitHub Trusted Publisher with:
    • repository owner and repository name matching this repository;
    • workflow filename release.yml;
    • environment name pypi.
  4. Give GitHub Actions permission to create repository contents. If branch protection prevents the release commit or the main to dev synchronization, create a repository secret named SEMANTIC_RELEASE_TOKEN containing a fine-grained token that can push to both branches and create releases.

Only stable releases from main are uploaded to PyPI. The dev branch produces GitHub prereleases only. Package version metadata is stored in src/keyverify/version.py.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

keyverify-1.0.0.tar.gz (12.7 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

keyverify-1.0.0-py3-none-any.whl (4.6 kB view details)

Uploaded Python 3

File details

Details for the file keyverify-1.0.0.tar.gz.

File metadata

  • Download URL: keyverify-1.0.0.tar.gz
  • Upload date:
  • Size: 12.7 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for keyverify-1.0.0.tar.gz
Algorithm Hash digest
SHA256 d282fa25103031313a7664e295d066f067b052edda9679d809b706c596ba6192
MD5 428bf80397cc6f9e946ebf4fa2a27148
BLAKE2b-256 f7cc38da721098eac499d89a2e2b110a8cea2d201b0ced47c7dcc10e21bec66d

See more details on using hashes here.

Provenance

The following attestation bundles were made for keyverify-1.0.0.tar.gz:

Publisher: release.yml on AIAIAIAIAIAIAIAIA/key-verify-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file keyverify-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: keyverify-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 4.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for keyverify-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 cdaa2bf003b44e231069712e374f8fd4975ee0b83831bc148b18e4da3fc35667
MD5 90b9df9896027af6b74e1fd4b652beba
BLAKE2b-256 53144cbb4840cc566955e126ca1ee3b3218625dc3e591e66c6e60ac6e1ab4fb9

See more details on using hashes here.

Provenance

The following attestation bundles were made for keyverify-1.0.0-py3-none-any.whl:

Publisher: release.yml on AIAIAIAIAIAIAIAIA/key-verify-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page