Minimal JWT auth server for the pico ecosystem
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
Pico-Auth
Minimal JWT auth server for the Pico ecosystem.
Pico-Auth is a ready-to-run authentication server built on top of the pico-framework stack. It provides:
- RS256 JWT tokens with auto-generated RSA key pairs
- Refresh token rotation with SHA-256 hashed storage
- RBAC with four built-in roles:
superadmin,org_admin,operator,viewer - OIDC discovery endpoints (
.well-known/openid-configuration, JWKS) - Bcrypt password hashing (72-byte input limit enforced)
- Zero-config startup with auto-created admin user
Requires Python 3.11+
Architecture
Pico-Auth uses the full Pico stack with dependency injection:
| Layer | Component | Decorator |
|---|---|---|
| Config | AuthSettings |
@configured(prefix="auth") |
| Models | User, RefreshToken |
SQLAlchemy AppBase |
| Repository | UserRepository, RefreshTokenRepository |
@component |
| Service | AuthService |
@component |
| Security | JWTProvider, PasswordService, LocalJWKSProvider |
@component |
| Routes | AuthController, OIDCController |
@controller |
Installation
pip install -e ".[dev]"
Quick Start
1. Run the Server
python -m pico_auth.main
The server starts on http://localhost:8100 with:
- An auto-created admin user (
admin@pico.local/admin) - SQLite database at
auth.db - RSA keys at
~/.pico-auth/
2. Register a User
curl -X POST http://localhost:8100/api/v1/auth/register \
-H "Content-Type: application/json" \
-d '{"email": "alice@example.com", "password": "secret123", "display_name": "Alice"}'
3. Login
curl -X POST http://localhost:8100/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"email": "alice@example.com", "password": "secret123"}'
Returns:
{
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"refresh_token": "a1b2c3d4...",
"token_type": "Bearer",
"expires_in": 900
}
4. Access Protected Endpoint
curl http://localhost:8100/api/v1/auth/me \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..."
API Endpoints
| Method | Path | Auth | Description |
|---|---|---|---|
| POST | /api/v1/auth/register |
No | Register a new user |
| POST | /api/v1/auth/login |
No | Login and get tokens |
| POST | /api/v1/auth/refresh |
No | Refresh access token |
| GET | /api/v1/auth/me |
Bearer | Get current user profile |
| POST | /api/v1/auth/me/password |
Bearer | Change password |
| GET | /api/v1/auth/users |
Admin | List all users |
| PUT | /api/v1/auth/users/{id}/role |
Admin | Update user role |
| GET | /api/v1/auth/jwks |
No | JSON Web Key Set |
| GET | /.well-known/openid-configuration |
No | OIDC discovery |
Configuration
All settings are loaded from application.yaml and can be overridden with environment variables:
auth:
data_dir: "~/.pico-auth" # RSA key storage
access_token_expire_minutes: 15 # JWT lifetime
refresh_token_expire_days: 7 # Refresh token lifetime
issuer: "http://localhost:8100" # JWT issuer claim
audience: "pico-bot" # JWT audience claim
auto_create_admin: true # Create admin on startup
admin_email: "admin@pico.local" # Default admin email
admin_password: "admin" # Default admin password
database:
url: "sqlite+aiosqlite:///auth.db" # Database URL
echo: false # SQL logging
auth_client:
enabled: true # Enable auth middleware
issuer: "http://localhost:8100" # Must match auth.issuer
audience: "pico-bot" # Must match auth.audience
fastapi:
title: "Pico Auth API"
version: "0.1.0"
Environment variable override example:
AUTH_ISSUER=https://auth.myapp.com AUTH_ADMIN_PASSWORD=strong-password python -m pico_auth.main
JWT Token Claims
Access tokens include:
| Claim | Description |
|---|---|
sub |
User ID |
email |
User email |
role |
User role (superadmin, org_admin, operator, viewer) |
org_id |
Organization ID |
iss |
Issuer URL |
aud |
Audience |
iat |
Issued at (Unix timestamp) |
exp |
Expiration (Unix timestamp) |
jti |
Unique token ID |
Ecosystem
Pico-Auth is built on:
| Package | Role |
|---|---|
| pico-ioc | Dependency injection container |
| pico-boot | Bootstrap and plugin discovery |
| pico-fastapi | FastAPI integration with @controller |
| pico-sqlalchemy | Async SQLAlchemy with SessionManager |
| pico-client-auth | JWT auth middleware with SecurityContext |
Development
# Install in dev mode
pip install -e ".[dev]"
# Run tests
pytest tests/ -v
# Run with coverage
pytest --cov=pico_auth --cov-report=term-missing tests/
# Full test matrix
tox
# Lint
ruff check pico_auth/ tests/
License
MIT - LICENSE
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
pico_auth-0.1.0.tar.gz
(18.6 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
pico_auth-0.1.0-py3-none-any.whl
(15.3 kB
view details)
File details
Details for the file pico_auth-0.1.0.tar.gz.
File metadata
- Download URL: pico_auth-0.1.0.tar.gz
- Upload date:
- Size: 18.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b142d850c60d4f83985960a93ed577506d3a9856c5d1e5aaed82ad84f697ad0f
|
|
| MD5 |
822813bcb26a96c2a6f62537d9044003
|
|
| BLAKE2b-256 |
61d985ebf299782d24862e676f74c3de49ec7ec65dfe323fb9a74f8e410ba229
|
Provenance
The following attestation bundles were made for pico_auth-0.1.0.tar.gz:
Publisher:
publish-to-pypi.yml on dperezcabrera/pico-auth
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pico_auth-0.1.0.tar.gz -
Subject digest:
b142d850c60d4f83985960a93ed577506d3a9856c5d1e5aaed82ad84f697ad0f - Sigstore transparency entry: 973974791
- Sigstore integration time:
-
Permalink:
dperezcabrera/pico-auth@809196f5f4b289ca0ff6aed7fb9fcd5d2fc5c25a -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/dperezcabrera
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-to-pypi.yml@809196f5f4b289ca0ff6aed7fb9fcd5d2fc5c25a -
Trigger Event:
release
-
Statement type:
File details
Details for the file pico_auth-0.1.0-py3-none-any.whl.
File metadata
- Download URL: pico_auth-0.1.0-py3-none-any.whl
- Upload date:
- Size: 15.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2d5a3537752ecac46e48b66f6d5050ce257fd95323b572b0723713924e2df0e1
|
|
| MD5 |
a38ec545e86d5898d124a4c6acc47b69
|
|
| BLAKE2b-256 |
7e9afa8dbdd522d9fc7ec4de3de8d3e9a28ec7efc17715c12a51951ea6dc8757
|
Provenance
The following attestation bundles were made for pico_auth-0.1.0-py3-none-any.whl:
Publisher:
publish-to-pypi.yml on dperezcabrera/pico-auth
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pico_auth-0.1.0-py3-none-any.whl -
Subject digest:
2d5a3537752ecac46e48b66f6d5050ce257fd95323b572b0723713924e2df0e1 - Sigstore transparency entry: 973974845
- Sigstore integration time:
-
Permalink:
dperezcabrera/pico-auth@809196f5f4b289ca0ff6aed7fb9fcd5d2fc5c25a -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/dperezcabrera
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-to-pypi.yml@809196f5f4b289ca0ff6aed7fb9fcd5d2fc5c25a -
Trigger Event:
release
-
Statement type:
