Skip to main content

OathMesh verification SDK for Python — FastAPI, Flask, Django

Project description


title: Python SDK description: OathMesh token verification SDK for Python with FastAPI, Flask, and Django integration patterns. keywords: [oathmesh, python, fastapi, flask, django, jwt, machine-identity] audience: application-developers, platform-engineers, enterprise-teams

Docs Index

oathmesh

OathMesh Logo

OathMesh token verification SDK for Python.

Table of Contents

Installation

pip install oathmesh
# or
poetry add oathmesh

Requirements:

  • Python 3.9+
  • PyJWT >= 2.8.0
  • cryptography >= 41.0.0

Quick Start

from oathmesh import verify_token, VerifierConfig

config = VerifierConfig(
    audience="https://inventory.internal",
    trusted_issuers=["https://issuer.oathmesh.tech"],
)

caller = verify_token("OathMesh <token>", config)
print(caller.principal.subject)

Canonical header:

Authorization: OathMesh <token>

Framework Integrations

FastAPI

Use a dependency that calls verify_token(...) and raises HTTPException(401) on OathMeshError.

Flask

Use @app.before_request to verify request.headers.get("Authorization", "").

Django

Use a view decorator that verifies request.META.get("HTTP_AUTHORIZATION", "").

Configuration

from oathmesh import VerifierConfig, verify_raw_token, extract_token

config = VerifierConfig(
    audience="https://inventory.internal",
    trusted_issuers=["https://issuer.oathmesh.tech"],
    on_verified=lambda ctx: logger.info("allowed", extra={"sub": ctx.principal.subject}),
    on_denied=lambda err: logger.warning("denied", extra={"code": err.code, "step": err.step}),
)

token = extract_token(auth_header)
caller = verify_raw_token(token, config)

Verifier semantics:

  • Canonical and required header for verification is Authorization: OathMesh <token>.
  • extract_token returns None for non-OathMesh schemes.
  • If upstream sends Bearer, translate it to OathMesh before calling verifier APIs.
  • Verifier behavior is aligned with canonical Go step semantics for conformance-critical checks (including alg=none rejection, subject format validation, binding-required semantics, and future-iat rejection).
  • Parity is behavioral across language runtimes; implementations are intentionally language-native, not byte-identical.
  • revocation_list remains optional. Cross-SDK conformance currently marks Python revocation behavior as SKIP/N/A.

Error Handling

from oathmesh import OathMeshError

try:
    # verify...
    pass
except OathMeshError as err:
    print(err.code, err.message, err.fix, err.step)

Common codes: claim_missing:token, issuer_untrusted, audience_mismatch, signature_invalid, token_expired.

Troubleshooting

Symptom Likely cause Fix
claim_missing:token Missing/invalid header Send Authorization: OathMesh <token>
issuer_untrusted iss not in trusted_issuers Add exact issuer URL
audience_mismatch Token aud differs from audience Mint token with matching aud
token_expired TTL elapsed / clock skew Mint fresh token and sync clocks
signature_invalid JWKS/issuer mismatch Check issuer URL and JWKS reachability

Security Notes

  • Verify only tokens from trusted issuers you control.
  • Never log raw tokens or API keys.
  • Keep issuer TLS and JWKS endpoints reachable and authenticated.
  • Treat all claims as untrusted until verification succeeds.

Production Tips

  • Reuse verifier config objects across requests.
  • Log error code and step for operational triage.
  • Use short TTLs and rotate issuer keys safely.
  • Monitor deny rates by error code.

Related Docs

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

oathmesh-0.1.1.tar.gz (21.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

oathmesh-0.1.1-py3-none-any.whl (24.1 kB view details)

Uploaded Python 3

File details

Details for the file oathmesh-0.1.1.tar.gz.

File metadata

  • Download URL: oathmesh-0.1.1.tar.gz
  • Upload date:
  • Size: 21.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for oathmesh-0.1.1.tar.gz
Algorithm Hash digest
SHA256 f62e322f9e430b9ac4d85b7b5142b5b97a23921a8508b6094ab89d6e78461dc9
MD5 3503a1d5d23822ec029bcbdbfd477199
BLAKE2b-256 5ae51b13d4ba81a1f48006c72922eecc2e274afa86304d83a0be8a00cb306c18

See more details on using hashes here.

File details

Details for the file oathmesh-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: oathmesh-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 24.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for oathmesh-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 916cc8ce31776042d6621a74db464bab18ad959e87ebd1d846d59ebdf729af33
MD5 064e5ef425e95eaade5ddd3cfe97ce5a
BLAKE2b-256 11f985e08e857e366ca1deffa4f9e069bf5911bdc9ebd6c998d797b610ad06da

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page