Embeddable auth server module for the pico ecosystem — JWT issuance, wallet login, JWKS endpoint

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for dperezcabrera from gravatar.com dperezcabrera

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: David Perez Cabrera
  • Tags auth , jwt , wallet , challenge-response , jwks , ml-dsa-65 , ed25519 , secp256k1 , post-quantum , pico-ioc , pico-boot , dependency-injection
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

pico-server-auth

PyPI Ask DeepWiki License: MIT CI codecov Quality Gate Status Duplicated Lines (%) Maintainability Rating PyPI Downloads Docs Interactive Lab

Embeddable auth server module for the pico-boot ecosystem.

Issues JWT tokens, handles wallet challenge-response login, and exposes JWKS — all compatible with pico-client-auth validation.

Two deployment modes

Embedded — add to any pico-boot app, auth runs in the same process. Auto-discovered — no need to list it in modules=[]:

container = init(modules=["myapp"], config=config)
# pico-server-auth endpoints are available automatically

Standalone — deploy as a separate auth service:

container = init(modules=[], config=config)
app = container.get(FastAPI)
# Other services point pico-client-auth to this service's /api/v1/auth/jwks

Scaffold a new project with pico-initializer — select pico-server-auth in the modules list.

Endpoints

GET  /api/v1/auth/jwks            JWKS public keys (pico-client-auth fetches this)
POST /api/v1/auth/challenge       Request nonce for wallet login
POST /api/v1/auth/sign-in         Verify wallet signature, issue JWT
POST /api/v1/auth/login           Password login (admin bootstrap)
POST /api/v1/auth/fleet/sessions  Mint a fleet session token (X-Fleet-Secret gated)   [v0.1.2]
POST /api/v1/auth/revoke          Revoke a token by jti (operator-gated)               [v0.1.2]
GET  /api/v1/auth/revoked-jtis    jti denylist (polled by pico-client-auth)            [v0.1.2]
GET  /api/v1/auth/mints           Currently-valid long-lived tokens (audit view)       [v0.1.2]

Wallet login flow

Client                    pico-server-auth
  │                            │
  │ POST /api/v1/auth/challenge       │
  │ { address: "0x..." }       │
  │───────────────────────────>│
  │ { challenge: "<nonce>" }   │
  │<───────────────────────────│
  │                            │
  │ sign(nonce) with wallet    │
  │                            │
  │ POST /api/v1/auth/sign-in          │
  │ { address, public_key,     │
  │   signature, challenge,    │
  │   algorithm: "ML-DSA-65" } │
  │───────────────────────────>│
  │ { access_token, address }  │
  │<───────────────────────────│

Supported wallet algorithms

Algorithm Type Library
ML-DSA-65 Post-quantum lattice (FIPS 204) cryptography
Ed25519 Edwards curve cryptography
secp256k1 Elliptic curve (ECDSA) cryptography

Compatibility with pico-client-auth

Tokens issued by pico-server-auth are standard JWT (RS256). pico-client-auth validates them by fetching JWKS from the /api/v1/auth/jwks endpoint.

Same process: pico-client-auth discovers the JWKS endpoint automatically (same FastAPI app).

Separate processes: configure pico-client-auth to point to the server:

auth_client:
  issuer: "http://auth-server:8100"
  audience: "pico"
  # JWKS fetched from http://auth-server:8100/api/v1/auth/jwks

Challenge store

By default, challenges are stored in memory with TTL expiry. For multi-instance deployments, register a custom ChallengeStore component:

@component
class RedisChallengeStore:
    async def create(self, address: str) -> str: ...
    async def validate(self, address: str, nonce: str) -> bool: ...
    async def cleanup(self) -> int: ...

The in-memory default is replaced automatically via on_missing_selector.

Configuration

server_auth:
  issuer: "http://localhost:8100"
  audience: "pico"
  algorithm: "RS256"
  access_token_expire_minutes: 15
  challenge_ttl_seconds: 60
  supported_wallet_algorithms:
    - "ML-DSA-65"
    - "Ed25519"
    - "secp256k1"

  # ── v0.1.2: agent/fleet, revocation & mint audit ──
  admin_role: "operator"            # role stamped on password-login tokens
  fleet_mint_secret: ""             # set to enable POST /fleet/sessions (X-Fleet-Secret)
  fleet_session_ttl_seconds: 86400  # default fleet session lifetime (24h)
  revocation_store_path: ""         # JSONL path for the jti denylist (empty = in-memory)
  mint_audit_path: ""               # JSONL path for the mint audit log (empty = in-memory)
  mint_audit_min_ttl_seconds: 300   # don't audit mints shorter-lived than this

Stack

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for dperezcabrera from gravatar.com dperezcabrera

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: David Perez Cabrera
  • Tags auth , jwt , wallet , challenge-response , jwks , ml-dsa-65 , ed25519 , secp256k1 , post-quantum , pico-ioc , pico-boot , dependency-injection
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

This version

0.1.2

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pico_server_auth-0.1.2.tar.gz (48.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pico_server_auth-0.1.2-py3-none-any.whl (23.0 kB view details)

Uploaded Python 3

File details

Details for the file pico_server_auth-0.1.2.tar.gz.

File metadata

  • Download URL: pico_server_auth-0.1.2.tar.gz
  • Upload date:
  • Size: 48.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for pico_server_auth-0.1.2.tar.gz
Algorithm Hash digest
SHA256 d1257effc5d3ec13b903338b26771671ce4fd239d76de58ada168d139d769bdd
MD5 a411844d8ef9645c449fc12101909b0f
BLAKE2b-256 09ff95f15e7f602e0dffc4932d7b60d4782007618800964e130be2b18a4e52a5

See more details on using hashes here.

Provenance

The following attestation bundles were made for pico_server_auth-0.1.2.tar.gz:

Publisher: publish-to-pypi.yml on dperezcabrera/pico-server-auth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pico_server_auth-0.1.2-py3-none-any.whl.

File metadata

File hashes

Hashes for pico_server_auth-0.1.2-py3-none-any.whl
Algorithm Hash digest
SHA256 bd6008d9a63030719cc7405b684e1fde695fcf190d038320de5afce164950f8a
MD5 9218f4b506c6dc4c8c7ec5c35bcda049
BLAKE2b-256 695180d5f33daf560504312128e2f649f68d259f25b2060102fb591930ce5c60

See more details on using hashes here.

Provenance

The following attestation bundles were made for pico_server_auth-0.1.2-py3-none-any.whl:

Publisher: publish-to-pypi.yml on dperezcabrera/pico-server-auth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page