Skip to main content

Open-source FastAPI authentication and authorization library with RBAC, ABAC, and Postgres-backed permissions.

Project description

OutlabsAuth

Open-source FastAPI authentication and authorization for RBAC, ABAC, API keys, and Postgres-backed permission models.

Python 3.12+ License: MIT Stage: Alpha

Alpha release - Public PyPI packaging is supported, but the API surface is still settling before 1.0.

Status

Current Library Version: 0.1.0a23

Release Stage: Alpha

What It Does

OutlabsAuth is a library-first auth system for FastAPI applications that want to keep authentication and authorization inside the app instead of outsourcing it to a separate service.

  • SimpleRBAC and EnterpriseRBAC presets
  • JWT auth, refresh tokens, API keys, service tokens, and OAuth hooks
  • Postgres-backed users, roles, permissions, entities, and audit history
  • FastAPI router factories, middleware, and CLI migrations

Install

pip install outlabs-auth

You will also need a PostgreSQL database available to the consuming app.

The consuming app owns its own configuration. In practice that means you provide:

  • a PostgreSQL connection URL
  • a JWT signing secret
  • any app-specific entity, membership, or host-query integrations you want on top of the base library

Quickstart

from contextlib import asynccontextmanager

from fastapi import FastAPI
from outlabs_auth import SimpleRBAC, register_exception_handlers
from outlabs_auth.routers import get_auth_router

auth = SimpleRBAC(
    database_url="postgresql+asyncpg://postgres:postgres@localhost:5432/app",
    secret_key="change-me",
    auto_migrate=True,
)


@asynccontextmanager
async def lifespan(app: FastAPI):
    await auth.initialize()
    yield
    await auth.shutdown()


app = FastAPI(lifespan=lifespan)
register_exception_handlers(app)
app.include_router(get_auth_router(auth, prefix="/auth"))

This example uses auto_migrate=True for convenience. For production, run migrations explicitly with the packaged CLI instead of relying on startup migration.

CLI Bootstrap

After installation, the package exposes an outlabs-auth CLI for schema setup and initial seeding.

export DATABASE_URL=postgresql+asyncpg://postgres:postgres@localhost:5432/app
# optional: export OUTLABS_AUTH_SCHEMA=auth

outlabs-auth migrate
outlabs-auth seed-system
outlabs-auth bootstrap-admin --email admin@example.com --password change-me

Recommended Production Defaults

For real deployments, use the library with explicit, optimized baseline settings rather than the convenience quickstart defaults.

App configuration baseline

from outlabs_auth import EnterpriseRBAC

auth = EnterpriseRBAC(
    database_url="postgresql+asyncpg://user:password@db-host/app?ssl=require",
    database_schema="outlabs_auth",
    secret_key="replace-me",
    auto_migrate=False,
    redis_url="redis://cache-host:6379/0",  # Enables Redis counters + permission cache
)

Recommended defaults:

  • use an explicit auth schema such as outlabs_auth
  • keep auto_migrate=False in normal runtime
  • provide Redis for production API-key counters, rate limits, and permission caching
  • mount the library under an app-owned prefix such as /iam

Database connection guidance

For managed Postgres providers that offer both direct and transaction-pooler URLs, prefer the direct runtime URL for auth-heavy apps.

Why:

  • OutlabsAuth already uses SQLAlchemy connection pooling
  • auth and permission checks often perform multiple small round trips
  • transaction-pooler endpoints add measurable latency for those query patterns
  • non-public auth schemas depend on reliable per-connection schema resolution

Use:

  • postgresql+asyncpg://...

Avoid as the primary runtime URL when you can:

  • transaction-pooler URLs such as provider -pooler endpoints

Bootstrap and worker startup

Do not rely on auto_migrate=True inside a multi-worker application runtime.

Recommended pattern:

  1. Run the packaged CLI in a single-process release or prestart step.
  2. Start the application workers only after that step succeeds.

Example:

export DATABASE_URL='postgresql+asyncpg://user:password@db-host/app?ssl=require'
export OUTLABS_AUTH_SCHEMA='outlabs_auth'

outlabs-auth migrate
outlabs-auth seed-system

exec uvicorn myapp.main:app --host 0.0.0.0 --port 8000 --workers 2

This avoids worker races and keeps schema ownership explicit.

Current operator workflow

Today, the recommended operational commands are:

  • outlabs-auth migrate
  • outlabs-auth seed-system
  • outlabs-auth bootstrap-admin
  • outlabs-auth tables
  • outlabs-auth current
  • outlabs-auth doctor — read-only preflight diagnostics. Runs five checks (connectivity, target schema, Alembic version table, revision matches code, core auth tables) against DATABASE_URL + OUTLABS_AUTH_SCHEMA. Supports --format text (default) and --format json. Exit codes: 0 healthy, 1 one or more checks failed, 2 DATABASE_URL not set. Passwords in the URL are redacted in all output. Safe to run against production — it issues no writes.
  • outlabs-auth bootstrap — idempotent first-boot orchestrator. Classifies the schema, builds a deterministic plan (migrate → seed → optional admin), and executes it. Aborts explicitly on drift, partially-bootstrapped, or missing-schema states rather than auto-repairing. Flags: --dry-run, --skip-seed, --admin-email/--admin-password (also via OUTLABS_AUTH_BOOTSTRAP_* env vars), --format text|json. Same exit-code semantics as doctor. Runs a final doctor pass on success to confirm the healthy end state.

More

The repository includes deeper examples, packaged CLI flows, and design notes:

License

MIT, copyright 2026 OUTLABS LLC.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

outlabs_auth-0.1.0a23.tar.gz (320.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

outlabs_auth-0.1.0a23-py3-none-any.whl (425.9 kB view details)

Uploaded Python 3

File details

Details for the file outlabs_auth-0.1.0a23.tar.gz.

File metadata

  • Download URL: outlabs_auth-0.1.0a23.tar.gz
  • Upload date:
  • Size: 320.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for outlabs_auth-0.1.0a23.tar.gz
Algorithm Hash digest
SHA256 c5a1a047632d8645d61b40218136f54315d69f2e1dda94f4f630d9959616ff2a
MD5 71d1b5b4965f63b07dab74bf955a1459
BLAKE2b-256 0868abf0dd58ac71cc5de9869d4cfaa3da4a82199695a9768c3d62212d196f5a

See more details on using hashes here.

Provenance

The following attestation bundles were made for outlabs_auth-0.1.0a23.tar.gz:

Publisher: publish-pypi.yml on outlabsio/outlabsAuth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file outlabs_auth-0.1.0a23-py3-none-any.whl.

File metadata

  • Download URL: outlabs_auth-0.1.0a23-py3-none-any.whl
  • Upload date:
  • Size: 425.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for outlabs_auth-0.1.0a23-py3-none-any.whl
Algorithm Hash digest
SHA256 abc4001a2d5934d129f0db5de1af667293aa9a9d0505ec80d05e983a6762d8b3
MD5 ba0fa9f53c925ac256a86ddd83a17d72
BLAKE2b-256 050aa22cfa207000bddc02e140ae28dc6dd415b24ea65c75f2f7591dacdfe777

See more details on using hashes here.

Provenance

The following attestation bundles were made for outlabs_auth-0.1.0a23-py3-none-any.whl:

Publisher: publish-pypi.yml on outlabsio/outlabsAuth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page