Qx auth: JWT validation, OIDC client, RBAC primitives, policy engine, rate limiting

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for klauthed from gravatar.com klauthed

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Author: Qx Engineering
  • Requires: Python >=3.14
Report project as malware

Project description

qx-auth

JWT validation, OIDC discovery, RBAC primitives, policy engine, and token-bucket rate limiting for the Qx framework.

What lives here

  • qx.auth.JwtValidator — validates and decodes JWT access tokens. Supports RS256/ES256 via JWKS endpoint, audience and issuer validation, and a pluggable RevocationCheck.
  • qx.auth.JwtSettings — Pydantic settings: JWKS URI, issuer, audience, algorithm, leeway.
  • qx.auth.Principal — decoded token claims: subject, email, roles, permissions, tenant_id, raw claims dict.
  • qx.auth.OidcDiscovery — fetches and caches the OpenID Connect discovery document (/.well-known/openid-configuration). Populates JwtSettings from the discovery endpoint automatically.
  • qx.auth.OidcConfiguration — parsed OIDC discovery document.
  • qx.auth.Role / Permission — value objects for RBAC. Role contains a set of Permission strings with wildcard matching (orders.* matches orders.read).
  • qx.auth.PolicyEvaluator — evaluates a list of Policy objects against a Principal. Policies are composable with require_permission, require_any_permission, and require_all_permissions.
  • qx.auth.TokenBucket — in-memory token-bucket rate limiter. Returns a TokenBucketResult with allowed, remaining, and retry_after — no exceptions.

Usage

JWT validation in a FastAPI route

from qx.auth import JwtValidator, Principal
from fastapi import Depends, HTTPException
from fastapi.security import HTTPBearer

security = HTTPBearer()
validator = JwtValidator(settings.jwt)

async def current_principal(token=Depends(security)) -> Principal:
    result = await validator.validate(token.credentials)
    if not result.is_success:
        raise HTTPException(status_code=401)
    return result.value

Policy evaluation

from qx.auth import PolicyEvaluator, require_permission

evaluator = PolicyEvaluator([require_permission("users.write")])
decision = evaluator.evaluate(principal)
if not decision.allowed:
    return Result.failure(ForbiddenError(...))

Token-bucket rate limiting

from qx.auth import TokenBucket

bucket = TokenBucket(capacity=100, refill_rate=10)  # 10 tokens/sec

result = bucket.consume(principal.subject)
if not result.allowed:
    return Result.failure(RateLimitedError(retry_after=result.retry_after))

Design rules

  • JwtValidator.validate() returns Result[Principal] — it never raises. Callers decide how to translate validation failures to HTTP responses.
  • JWKS are cached and refreshed lazily on key-ID miss so a key rotation doesn't require a restart.
  • Permission wildcards follow a simple dot-separated scheme: "orders.*" grants all permissions starting with "orders.". Policies compose with AND (require_all_permissions) or OR (require_any_permission) semantics.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for klauthed from gravatar.com klauthed

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Author: Qx Engineering
  • Requires: Python >=3.14

Release history Release notifications | RSS feed

1.1.0

1.0.0

0.2.0

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

qx_auth-0.1.0.tar.gz (10.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

qx_auth-0.1.0-py3-none-any.whl (11.8 kB view details)

Uploaded Python 3

File details

Details for the file qx_auth-0.1.0.tar.gz.

File metadata

  • Download URL: qx_auth-0.1.0.tar.gz
  • Upload date:
  • Size: 10.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.5

File hashes

Hashes for qx_auth-0.1.0.tar.gz
Algorithm Hash digest
SHA256 c5011a4b059940135b9b7500ae87094887c7f22920938acc2d59b8637df108f2
MD5 c3420966ab5c2a115da5034f5f824ea1
BLAKE2b-256 1b1ed624998150c3524639c591953c1c2bda0565314540ca845df722346c0d22

See more details on using hashes here.

File details

Details for the file qx_auth-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: qx_auth-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 11.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for qx_auth-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 32565e99c92517b145821977f162568b822b0b455a70163ea4707e00cd7802d0
MD5 d29e0d9096aa10ae44d6743fdde82afc
BLAKE2b-256 5fd7d5fbb58adaaf6e712c7451d4a7d0f07acf24b7a2971439813559c5486e0f

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page