Qx auth: JWT validation, OIDC client, RBAC primitives, policy engine, rate limiting

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for klauthed from gravatar.com klauthed

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Author: Qx Engineering
  • Requires: Python >=3.14
Report project as malware

Project description

qx-auth

JWT validation, OIDC discovery, RBAC primitives, policy engine, and token-bucket rate limiting for the Qx framework.

What lives here

  • qx.auth.JwtValidator — validates and decodes JWT access tokens. Supports RS256/ES256 via JWKS endpoint, audience and issuer validation, and a pluggable RevocationCheck.
  • qx.auth.JwtSettings — Pydantic settings: JWKS URI, issuer, audience, algorithm, leeway.
  • qx.auth.Principal — decoded token claims: subject, email, roles, permissions, tenant_id, raw claims dict.
  • qx.auth.OidcDiscovery — fetches and caches the OpenID Connect discovery document (/.well-known/openid-configuration). Populates JwtSettings from the discovery endpoint automatically.
  • qx.auth.OidcConfiguration — parsed OIDC discovery document.
  • qx.auth.Role / Permission — value objects for RBAC. Role contains a set of Permission strings with wildcard matching (orders.* matches orders.read).
  • qx.auth.PolicyEvaluator — evaluates a list of Policy objects against a Principal. Policies are composable with require_permission, require_any_permission, and require_all_permissions.
  • qx.auth.TokenBucket — in-memory token-bucket rate limiter. Returns a TokenBucketResult with allowed, remaining, and retry_after — no exceptions.

Usage

JWT validation in a FastAPI route

from qx.auth import JwtValidator, Principal
from fastapi import Depends, HTTPException
from fastapi.security import HTTPBearer

security = HTTPBearer()
validator = JwtValidator(settings.jwt)

async def current_principal(token=Depends(security)) -> Principal:
    result = await validator.validate(token.credentials)
    if not result.is_success:
        raise HTTPException(status_code=401)
    return result.value

Policy evaluation

from qx.auth import PolicyEvaluator, require_permission

evaluator = PolicyEvaluator([require_permission("users.write")])
decision = evaluator.evaluate(principal)
if not decision.allowed:
    return Result.failure(ForbiddenError(...))

Token-bucket rate limiting

from qx.auth import TokenBucket

bucket = TokenBucket(capacity=100, refill_rate=10)  # 10 tokens/sec

result = bucket.consume(principal.subject)
if not result.allowed:
    return Result.failure(RateLimitedError(retry_after=result.retry_after))

Design rules

  • JwtValidator.validate() returns Result[Principal] — it never raises. Callers decide how to translate validation failures to HTTP responses.
  • JWKS are cached and refreshed lazily on key-ID miss so a key rotation doesn't require a restart.
  • Permission wildcards follow a simple dot-separated scheme: "orders.*" grants all permissions starting with "orders.". Policies compose with AND (require_all_permissions) or OR (require_any_permission) semantics.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for klauthed from gravatar.com klauthed

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Author: Qx Engineering
  • Requires: Python >=3.14

Release history Release notifications | RSS feed

This version

1.1.0

1.0.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

qx_auth-1.1.0.tar.gz (14.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

qx_auth-1.1.0-py3-none-any.whl (15.2 kB view details)

Uploaded Python 3

File details

Details for the file qx_auth-1.1.0.tar.gz.

File metadata

  • Download URL: qx_auth-1.1.0.tar.gz
  • Upload date:
  • Size: 14.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for qx_auth-1.1.0.tar.gz
Algorithm Hash digest
SHA256 53498e61b9c22c2b961c0fa7bdd5da464801aa446a4530a64f435564dfddd465
MD5 8aa1fbccc8a9783b05040f18c5e6910f
BLAKE2b-256 a1c2849036bc4c875f772304061eb94864f050b3de99cb825ba0bafb1f28cd59

See more details on using hashes here.

File details

Details for the file qx_auth-1.1.0-py3-none-any.whl.

File metadata

  • Download URL: qx_auth-1.1.0-py3-none-any.whl
  • Upload date:
  • Size: 15.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for qx_auth-1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 07ea2ecb15bb64bcde2f109a6c7a8ccdc88b07e4e7fed11c005450aa596b9087
MD5 ae57d3440b015dd9706bf46ad2f935c8
BLAKE2b-256 0b0665a5026f9f55401c3b34a80aeedc23b28ea44fdadc5a84328305017adf36

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page