Shared client for verifying API keys against the central admin key server.
Project description
keyverify
Shared client for verifying API keys against the central admin key server
(admin-platform /internal/verify-key). Used by every service instance
(asr, ocr, agent, ...) so key verification logic lives in one place.
Use
from keyverify import KeyVerifier
verifier = KeyVerifier(
verify_url="https://admin.internal/internal/verify-key",
service_token="tok_asr_xxx", # this instance's X-Service-Token
scope="cust-A", # the customer this instance serves (optional)
cache_ttl=300, # cache a result for 5 min
fail_open=False, # if central is down and nothing cached: deny
)
result = verifier.verify(incoming_api_key)
if result.valid:
client, tenant = result.client, result.tenant
else:
... # reject with 401; result.reason explains why
Behavior
- Cache: a verified key is cached for
cache_ttlseconds, so the central server is not hit on every request, and a revocation takes effect within that window. - Outage tolerance: if the central server is unreachable, a cached result is
still honored. With no cached result,
fail_opendecides allow vs deny (default deny). - Scope: when
scopeis set, the server rejects keys belonging to other customers (returnsvalid=false, reason="scope_mismatch").
Install (per service)
Each service adds this as a dependency (path, git, or internal index). E.g. in a service's pyproject:
dependencies = ["keyverify @ file:///path/to/key-verify-client"]
Development
Install the project and its development tools:
python -m pip install -e ".[dev]"
npm ci
pre-commit install
pre-commit install --hook-type commit-msg
pre-commit install --hook-type pre-push
Run the same checks used by GitHub Actions:
pre-commit run --all-files
pytest --cov=keyverify --cov-report=term-missing --cov-fail-under=90
python -m build
python -m twine check dist/*
Automated releases
The repository uses Conventional Commits and semantic-release.
- Pull requests and feature branches run linting, type checking, tests, coverage, wheel/source-distribution builds, and package metadata checks.
- Commits pushed to
devcreate a prerelease such as0.2.0-dev.1. The corresponding Python distribution version is normalized to0.2.0.dev1and attached to the GitHub prerelease. - Commits pushed to
maincreate a stable GitHub release and publish the wheel and source distribution to PyPI. - After a stable release, the workflow merges
mainback intodev.
Required GitHub and PyPI settings
- Keep the existing
package-lock.jsoncommitted because the workflows usenpm ci. - Create a GitHub Environment named
pypi. - In the PyPI project, add a GitHub Trusted Publisher with:
- repository owner and repository name matching this repository;
- workflow filename
release.yml; - environment name
pypi.
- Give GitHub Actions permission to create repository contents. If branch
protection prevents the release commit or the
maintodevsynchronization, create a repository secret namedSEMANTIC_RELEASE_TOKENcontaining a fine-grained token that can push to both branches and create releases.
Only stable releases from main are uploaded to PyPI. The dev branch produces
GitHub prereleases only. Package version metadata is stored in
src/keyverify/version.py.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file keyverify-1.0.0.tar.gz.
File metadata
- Download URL: keyverify-1.0.0.tar.gz
- Upload date:
- Size: 12.7 MB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d282fa25103031313a7664e295d066f067b052edda9679d809b706c596ba6192
|
|
| MD5 |
428bf80397cc6f9e946ebf4fa2a27148
|
|
| BLAKE2b-256 |
f7cc38da721098eac499d89a2e2b110a8cea2d201b0ced47c7dcc10e21bec66d
|
Provenance
The following attestation bundles were made for keyverify-1.0.0.tar.gz:
Publisher:
release.yml on AIAIAIAIAIAIAIAIA/key-verify-client
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
keyverify-1.0.0.tar.gz -
Subject digest:
d282fa25103031313a7664e295d066f067b052edda9679d809b706c596ba6192 - Sigstore transparency entry: 2020180704
- Sigstore integration time:
-
Permalink:
AIAIAIAIAIAIAIAIA/key-verify-client@3ff3c865301d31cb19a270d1fd58513cbfd7b1f7 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/AIAIAIAIAIAIAIAIA
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@3ff3c865301d31cb19a270d1fd58513cbfd7b1f7 -
Trigger Event:
push
-
Statement type:
File details
Details for the file keyverify-1.0.0-py3-none-any.whl.
File metadata
- Download URL: keyverify-1.0.0-py3-none-any.whl
- Upload date:
- Size: 4.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cdaa2bf003b44e231069712e374f8fd4975ee0b83831bc148b18e4da3fc35667
|
|
| MD5 |
90b9df9896027af6b74e1fd4b652beba
|
|
| BLAKE2b-256 |
53144cbb4840cc566955e126ca1ee3b3218625dc3e591e66c6e60ac6e1ab4fb9
|
Provenance
The following attestation bundles were made for keyverify-1.0.0-py3-none-any.whl:
Publisher:
release.yml on AIAIAIAIAIAIAIAIA/key-verify-client
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
keyverify-1.0.0-py3-none-any.whl -
Subject digest:
cdaa2bf003b44e231069712e374f8fd4975ee0b83831bc148b18e4da3fc35667 - Sigstore transparency entry: 2020180871
- Sigstore integration time:
-
Permalink:
AIAIAIAIAIAIAIAIA/key-verify-client@3ff3c865301d31cb19a270d1fd58513cbfd7b1f7 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/AIAIAIAIAIAIAIAIA
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@3ff3c865301d31cb19a270d1fd58513cbfd7b1f7 -
Trigger Event:
push
-
Statement type: