Qx auth: JWT validation, OIDC client, RBAC primitives, policy engine, rate limiting

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for klauthed from gravatar.com klauthed

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Author: Qx Engineering
  • Requires: Python >=3.14
Report project as malware

Project description

qx-auth

JWT validation, OIDC discovery, RBAC primitives, policy engine, and token-bucket rate limiting for the Qx framework.

What lives here

  • qx.auth.JwtValidator — validates and decodes JWT access tokens. Supports RS256/ES256 via JWKS endpoint, audience and issuer validation, and a pluggable RevocationCheck.
  • qx.auth.JwtSettings — Pydantic settings: JWKS URI, issuer, audience, algorithm, leeway.
  • qx.auth.Principal — decoded token claims: subject, email, roles, permissions, tenant_id, raw claims dict.
  • qx.auth.OidcDiscovery — fetches and caches the OpenID Connect discovery document (/.well-known/openid-configuration). Populates JwtSettings from the discovery endpoint automatically.
  • qx.auth.OidcConfiguration — parsed OIDC discovery document.
  • qx.auth.Role / Permission — value objects for RBAC. Role contains a set of Permission strings with wildcard matching (orders.* matches orders.read).
  • qx.auth.PolicyEvaluator — evaluates a list of Policy objects against a Principal. Policies are composable with require_permission, require_any_permission, and require_all_permissions.
  • qx.auth.TokenBucket — in-memory token-bucket rate limiter. Returns a TokenBucketResult with allowed, remaining, and retry_after — no exceptions.

Usage

JWT validation in a FastAPI route

from qx.auth import JwtValidator, Principal
from fastapi import Depends, HTTPException
from fastapi.security import HTTPBearer

security = HTTPBearer()
validator = JwtValidator(settings.jwt)

async def current_principal(token=Depends(security)) -> Principal:
    result = await validator.validate(token.credentials)
    if not result.is_success:
        raise HTTPException(status_code=401)
    return result.value

Policy evaluation

from qx.auth import PolicyEvaluator, require_permission

evaluator = PolicyEvaluator([require_permission("users.write")])
decision = evaluator.evaluate(principal)
if not decision.allowed:
    return Result.failure(ForbiddenError(...))

Token-bucket rate limiting

from qx.auth import TokenBucket

bucket = TokenBucket(capacity=100, refill_rate=10)  # 10 tokens/sec

result = bucket.consume(principal.subject)
if not result.allowed:
    return Result.failure(RateLimitedError(retry_after=result.retry_after))

Design rules

  • JwtValidator.validate() returns Result[Principal] — it never raises. Callers decide how to translate validation failures to HTTP responses.
  • JWKS are cached and refreshed lazily on key-ID miss so a key rotation doesn't require a restart.
  • Permission wildcards follow a simple dot-separated scheme: "orders.*" grants all permissions starting with "orders.". Policies compose with AND (require_all_permissions) or OR (require_any_permission) semantics.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for klauthed from gravatar.com klauthed

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Author: Qx Engineering
  • Requires: Python >=3.14

Release history Release notifications | RSS feed

1.1.0

1.0.0

This version

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

qx_auth-0.2.0.tar.gz (10.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

qx_auth-0.2.0-py3-none-any.whl (11.8 kB view details)

Uploaded Python 3

File details

Details for the file qx_auth-0.2.0.tar.gz.

File metadata

  • Download URL: qx_auth-0.2.0.tar.gz
  • Upload date:
  • Size: 10.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.0

File hashes

Hashes for qx_auth-0.2.0.tar.gz
Algorithm Hash digest
SHA256 45f2a692ac15dd7120095866c314ac93f16a1df6d66c2928e729ab7ebe8f5435
MD5 7c3bd6d632d6c8185366387576646718
BLAKE2b-256 47f9c6bb26e98be206d6e82d56845c6f6411db8efb38c0d957bc251d1f6da902

See more details on using hashes here.

File details

Details for the file qx_auth-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: qx_auth-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 11.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for qx_auth-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 18b76cb3ce327b97e0754a34f62ac65b9f6c2d8ba922d1f7983f6761def1ac68
MD5 5f061f7ab057fa1bc61f2ec991fd16af
BLAKE2b-256 9691624df3d9367576726ac475fb824e9200e9049184eec15ff7eac59522cb77

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page