Qx auth: JWT validation, OIDC client, RBAC primitives, policy engine, rate limiting

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for klauthed from gravatar.com klauthed

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Author: Qx Engineering
  • Requires: Python >=3.14
Report project as malware

Project description

qx-auth

JWT validation, OIDC discovery, RBAC primitives, policy engine, and token-bucket rate limiting for the Qx framework.

What lives here

  • qx.auth.JwtValidator — validates and decodes JWT access tokens. Supports RS256/ES256 via JWKS endpoint, audience and issuer validation, and a pluggable RevocationCheck.
  • qx.auth.JwtSettings — Pydantic settings: JWKS URI, issuer, audience, algorithm, leeway.
  • qx.auth.Principal — decoded token claims: subject, email, roles, permissions, tenant_id, raw claims dict.
  • qx.auth.OidcDiscovery — fetches and caches the OpenID Connect discovery document (/.well-known/openid-configuration). Populates JwtSettings from the discovery endpoint automatically.
  • qx.auth.OidcConfiguration — parsed OIDC discovery document.
  • qx.auth.Role / Permission — value objects for RBAC. Role contains a set of Permission strings with wildcard matching (orders.* matches orders.read).
  • qx.auth.PolicyEvaluator — evaluates a list of Policy objects against a Principal. Policies are composable with require_permission, require_any_permission, and require_all_permissions.
  • qx.auth.TokenBucket — in-memory token-bucket rate limiter. Returns a TokenBucketResult with allowed, remaining, and retry_after — no exceptions.

Usage

JWT validation in a FastAPI route

from qx.auth import JwtValidator, Principal
from fastapi import Depends, HTTPException
from fastapi.security import HTTPBearer

security = HTTPBearer()
validator = JwtValidator(settings.jwt)

async def current_principal(token=Depends(security)) -> Principal:
    result = await validator.validate(token.credentials)
    if not result.is_success:
        raise HTTPException(status_code=401)
    return result.value

Policy evaluation

from qx.auth import PolicyEvaluator, require_permission

evaluator = PolicyEvaluator([require_permission("users.write")])
decision = evaluator.evaluate(principal)
if not decision.allowed:
    return Result.failure(ForbiddenError(...))

Token-bucket rate limiting

from qx.auth import TokenBucket

bucket = TokenBucket(capacity=100, refill_rate=10)  # 10 tokens/sec

result = bucket.consume(principal.subject)
if not result.allowed:
    return Result.failure(RateLimitedError(retry_after=result.retry_after))

Design rules

  • JwtValidator.validate() returns Result[Principal] — it never raises. Callers decide how to translate validation failures to HTTP responses.
  • JWKS are cached and refreshed lazily on key-ID miss so a key rotation doesn't require a restart.
  • Permission wildcards follow a simple dot-separated scheme: "orders.*" grants all permissions starting with "orders.". Policies compose with AND (require_all_permissions) or OR (require_any_permission) semantics.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for klauthed from gravatar.com klauthed

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Author: Qx Engineering
  • Requires: Python >=3.14

Release history Release notifications | RSS feed

1.1.0

This version

1.0.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

qx_auth-1.0.0.tar.gz (14.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

qx_auth-1.0.0-py3-none-any.whl (15.2 kB view details)

Uploaded Python 3

File details

Details for the file qx_auth-1.0.0.tar.gz.

File metadata

  • Download URL: qx_auth-1.0.0.tar.gz
  • Upload date:
  • Size: 14.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for qx_auth-1.0.0.tar.gz
Algorithm Hash digest
SHA256 76dba3d2c4c9c6bbca94a003f3eeff96c562748a9b3bafd56702c0bea57c3bf0
MD5 329ca4dcc91863e393cc8e8f9ab0dd0d
BLAKE2b-256 20c4e7f22f31b6e05816b65aa7ba5bb78bae0faa4015cf7379e668908eec933c

See more details on using hashes here.

File details

Details for the file qx_auth-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: qx_auth-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 15.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for qx_auth-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 5fd4d26214896db93f7970e5998f0b5e91efb46dcf10834ea2b7f19ae4ac7b89
MD5 7b5bf7c37b65ed827fa6611f95b4231c
BLAKE2b-256 ca6e67365605ff0d54bc4086df004449864f3d4b2e51635b39162c82b77c4d4a

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page