OathMesh verification SDK for Python — FastAPI, Flask, Django
Project description
title: Python SDK description: OathMesh token verification SDK for Python with FastAPI, Flask, and Django integration patterns. keywords: [oathmesh, python, fastapi, flask, django, jwt, machine-identity] audience: application-developers, platform-engineers, enterprise-teams
oathmesh
OathMesh token verification SDK for Python.
Table of Contents
- Installation
- Quick Start
- Framework Integrations
- Configuration
- Error Handling
- Troubleshooting
- Security Notes
- Production Tips
- Related Docs
Installation
pip install oathmesh
# or
poetry add oathmesh
Requirements:
- Python 3.9+
- PyJWT >= 2.8.0
- cryptography >= 41.0.0
Quick Start
from oathmesh import verify_token, VerifierConfig
config = VerifierConfig(
audience="https://inventory.internal",
trusted_issuers=["https://issuer.oathmesh.tech"],
)
caller = verify_token("OathMesh <token>", config)
print(caller.principal.subject)
Canonical header:
Authorization: OathMesh <token>
Framework Integrations
FastAPI
Use a dependency that calls verify_token(...) and raises HTTPException(401) on OathMeshError.
Flask
Use @app.before_request to verify request.headers.get("Authorization", "").
Django
Use a view decorator that verifies request.META.get("HTTP_AUTHORIZATION", "").
Configuration
from oathmesh import VerifierConfig, verify_raw_token, extract_token
config = VerifierConfig(
audience="https://inventory.internal",
trusted_issuers=["https://issuer.oathmesh.tech"],
on_verified=lambda ctx: logger.info("allowed", extra={"sub": ctx.principal.subject}),
on_denied=lambda err: logger.warning("denied", extra={"code": err.code, "step": err.step}),
)
token = extract_token(auth_header)
caller = verify_raw_token(token, config)
Verifier semantics:
- Canonical and required header for verification is
Authorization: OathMesh <token>. extract_tokenreturnsNonefor non-OathMesh schemes.- If upstream sends
Bearer, translate it toOathMeshbefore calling verifier APIs. - Verifier behavior is aligned with canonical Go step semantics for conformance-critical checks (including
alg=nonerejection, subject format validation, binding-required semantics, and future-iatrejection). - Parity is behavioral across language runtimes; implementations are intentionally language-native, not byte-identical.
revocation_listremains optional. Cross-SDK conformance currently marks Python revocation behavior as SKIP/N/A.
Error Handling
from oathmesh import OathMeshError
try:
# verify...
pass
except OathMeshError as err:
print(err.code, err.message, err.fix, err.step)
Common codes: claim_missing:token, issuer_untrusted, audience_mismatch, signature_invalid, token_expired.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
claim_missing:token |
Missing/invalid header | Send Authorization: OathMesh <token> |
issuer_untrusted |
iss not in trusted_issuers |
Add exact issuer URL |
audience_mismatch |
Token aud differs from audience |
Mint token with matching aud |
token_expired |
TTL elapsed / clock skew | Mint fresh token and sync clocks |
signature_invalid |
JWKS/issuer mismatch | Check issuer URL and JWKS reachability |
Security Notes
- Verify only tokens from trusted issuers you control.
- Never log raw tokens or API keys.
- Keep issuer TLS and JWKS endpoints reachable and authenticated.
- Treat all claims as untrusted until verification succeeds.
Production Tips
- Reuse verifier config objects across requests.
- Log
error codeandstepfor operational triage. - Use short TTLs and rotate issuer keys safely.
- Monitor deny rates by error code.
Related Docs
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file oathmesh-0.1.1.tar.gz.
File metadata
- Download URL: oathmesh-0.1.1.tar.gz
- Upload date:
- Size: 21.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f62e322f9e430b9ac4d85b7b5142b5b97a23921a8508b6094ab89d6e78461dc9
|
|
| MD5 |
3503a1d5d23822ec029bcbdbfd477199
|
|
| BLAKE2b-256 |
5ae51b13d4ba81a1f48006c72922eecc2e274afa86304d83a0be8a00cb306c18
|
File details
Details for the file oathmesh-0.1.1-py3-none-any.whl.
File metadata
- Download URL: oathmesh-0.1.1-py3-none-any.whl
- Upload date:
- Size: 24.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
916cc8ce31776042d6621a74db464bab18ad959e87ebd1d846d59ebdf729af33
|
|
| MD5 |
064e5ef425e95eaade5ddd3cfe97ce5a
|
|
| BLAKE2b-256 |
11f985e08e857e366ca1deffa4f9e069bf5911bdc9ebd6c998d797b610ad06da
|