Skip to main content

OathMesh verification SDK for Python — FastAPI, Flask, Django

Project description


title: Python SDK description: OathMesh token verification SDK for Python with FastAPI, Flask, and Django integration patterns. keywords: [oathmesh, python, fastapi, flask, django, jwt, machine-identity] audience: application-developers, platform-engineers, enterprise-teams

Docs Index

oathmesh

OathMesh Logo

OathMesh token verification SDK for Python.

Table of Contents

Installation

pip install oathmesh
# or
poetry add oathmesh

Requirements:

  • Python 3.9+
  • PyJWT >= 2.8.0
  • cryptography >= 41.0.0

Quick Start

from oathmesh import verify_token, VerifierConfig

config = VerifierConfig(
    audience="https://inventory.internal",
    trusted_issuers=["https://issuer.oathmesh.tech"],
)

caller = verify_token("OathMesh <token>", config)
print(caller.principal.subject)

Canonical header:

Authorization: OathMesh <token>

Framework Integrations

FastAPI

Use a dependency that calls verify_token(...) and raises HTTPException(401) on OathMeshError.

Flask

Use @app.before_request to verify request.headers.get("Authorization", "").

Django

Use a view decorator that verifies request.META.get("HTTP_AUTHORIZATION", "").

Configuration

from oathmesh import VerifierConfig, verify_raw_token, extract_token

config = VerifierConfig(
    audience="https://inventory.internal",
    trusted_issuers=["https://issuer.oathmesh.tech"],
    on_verified=lambda ctx: logger.info("allowed", extra={"sub": ctx.principal.subject}),
    on_denied=lambda err: logger.warning("denied", extra={"code": err.code, "step": err.step}),
)

token = extract_token(auth_header)
caller = verify_raw_token(token, config)

Verifier semantics:

  • Canonical and required header for verification is Authorization: OathMesh <token>.
  • extract_token returns None for non-OathMesh schemes.
  • If upstream sends Bearer, translate it to OathMesh before calling verifier APIs.
  • Verifier behavior is aligned with canonical Go step semantics for conformance-critical checks (including alg=none rejection, subject format validation, binding-required semantics, and future-iat rejection).
  • Parity is behavioral across language runtimes; implementations are intentionally language-native, not byte-identical.
  • revocation_list remains optional. Cross-SDK conformance currently marks Python revocation behavior as SKIP/N/A.

Error Handling

from oathmesh import OathMeshError

try:
    # verify...
    pass
except OathMeshError as err:
    print(err.code, err.message, err.fix, err.step)

Common codes: claim_missing:token, issuer_untrusted, audience_mismatch, signature_invalid, token_expired.

Troubleshooting

Symptom Likely cause Fix
claim_missing:token Missing/invalid header Send Authorization: OathMesh <token>
issuer_untrusted iss not in trusted_issuers Add exact issuer URL
audience_mismatch Token aud differs from audience Mint token with matching aud
token_expired TTL elapsed / clock skew Mint fresh token and sync clocks
signature_invalid JWKS/issuer mismatch Check issuer URL and JWKS reachability

Security Notes

  • Verify only tokens from trusted issuers you control.
  • Never log raw tokens or API keys.
  • Keep issuer TLS and JWKS endpoints reachable and authenticated.
  • Treat all claims as untrusted until verification succeeds.

Production Tips

  • Reuse verifier config objects across requests.
  • Log error code and step for operational triage.
  • Use short TTLs and rotate issuer keys safely.
  • Monitor deny rates by error code.

Related Docs

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

oathmesh-1.0.0rc1.tar.gz (21.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

oathmesh-1.0.0rc1-py3-none-any.whl (24.8 kB view details)

Uploaded Python 3

File details

Details for the file oathmesh-1.0.0rc1.tar.gz.

File metadata

  • Download URL: oathmesh-1.0.0rc1.tar.gz
  • Upload date:
  • Size: 21.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for oathmesh-1.0.0rc1.tar.gz
Algorithm Hash digest
SHA256 dc640e420c8822b648919e6b5dce715fc727236bad9eab22ff137668149749b4
MD5 80b158330a4536f2285a1150766ebb09
BLAKE2b-256 fceabde9925566ff3f3b080554b47c524eefd26f640e475a18ff10e99865ff25

See more details on using hashes here.

File details

Details for the file oathmesh-1.0.0rc1-py3-none-any.whl.

File metadata

  • Download URL: oathmesh-1.0.0rc1-py3-none-any.whl
  • Upload date:
  • Size: 24.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for oathmesh-1.0.0rc1-py3-none-any.whl
Algorithm Hash digest
SHA256 ec1c57ef2e48ee75fa7e526b5135cc7c93e5cc0489e4f58aa832aa29b461dc2a
MD5 1ae821fb081bd7707dcdc280b7a9a2d0
BLAKE2b-256 c7cc3cf338aa355c870fe3c1c0e1ceb8483ecbb56126fdcee11a2291580dd25e

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page