Rownd migration plugin for SuperTokens Python
Project description
SuperTokens Rownd Python Plugin
Rownd migration plugin for supertokens_python.
This package is managed by Turborepo through package.json, but published as a Python package named supertokens-rownd.
Installation
Install from PyPI:
pip install supertokens-rownd
With uv:
uv add supertokens-rownd
For local development, install from this repository checkout with uv sync --dev.
Local Development
cd packages/rownd-python
uv sync --dev
uv run python -m build
uv run pytest
From the repository root, Turborepo can run the Python package tasks because this directory has a package.json workspace adapter:
npm run build -- --filter=@supertokens-plugins/rownd-python
npm run test -- --filter=@supertokens-plugins/rownd-python
Usage
from supertokens_python import (
InputAppInfo,
SupertokensConfig,
SupertokensExperimentalConfig,
init,
)
from supertokens_python.recipe import accountlinking, emailverification, passwordless, session, thirdparty, usermetadata
from supertokens_rownd import init as RowndMigrationPlugin
init(
app_info=InputAppInfo(
app_name="My App",
api_domain="https://api.example.com",
website_domain="https://example.com",
api_base_path="/auth",
),
framework="fastapi",
supertokens_config=SupertokensConfig(
connection_uri="https://try.supertokens.com",
),
recipe_list=[
accountlinking.init(),
session.init(),
usermetadata.init(),
passwordless.init(
contact_config=passwordless.ContactEmailOrPhoneConfig(),
flow_type="MAGIC_LINK",
),
emailverification.init(mode="OPTIONAL"),
thirdparty.init(sign_in_and_up_feature=thirdparty.SignInAndUpFeature(providers=[])),
],
experimental=SupertokensExperimentalConfig(
plugins=[
RowndMigrationPlugin(
rownd_app_key="rownd_app_key",
rownd_app_secret="rownd_app_secret",
# Must match InputAppInfo.api_base_path.
api_base_path="/auth",
# Should match InputAppInfo.api_domain.
api_domain="https://api.example.com",
# Should match InputAppInfo.website_domain when using passwordless confirmation bypass.
website_domain="https://example.com",
app_name="My App",
)
]
),
)
Routes
The plugin registers these routes below api_base_path:
GET /plugin/rownd/app-configPOST /plugin/rownd/guestPOST /plugin/rownd/migratePOST /plugin/migrate-sessionPOST /plugin/passwordless-cross-device-confirmation/validatePOST /plugin/rownd/signoutGET /plugin/rownd/userPUT /plugin/rownd/userDELETE /plugin/rownd/userGET /plugin/rownd/user/metaPUT /plugin/rownd/user/metaGET /plugin/rownd/user/fieldPUT /plugin/rownd/user/field
Rownd Compatibility
The plugin exposes Rownd-compatible user/session behavior for migrated and new SuperTokens users:
- Guest sessions use the
guestthird-party provider. - Instant sessions use the
instantthird-party provider and preserveauth_level: "instant". - Google and Apple third-party login methods are exposed as
google_idandapple_idin Rownd-compatible user payloads. - OAuth2 Provider tokens and userinfo responses include Rownd claims plus standard
email,phone, andprofileclaims when those scopes are requested. - OAuth2
resource=app:*requests are translated to SuperTokensaudience=app:*for Rownd-compatible OAuth clients. - Rownd compatibility user routes ignore the global email verification claim validator so instant users can update email fields even when email verification is required.
Passwordless Confirmation Bypass
Use create_magic_link_with_confirmation_bypass when your backend needs to create a passwordless magic link that can be opened on a different device without showing the SuperTokens cross-device confirmation prompt.
This is intended for trusted server-side flows only.
First, configure the exact post-login paths that may use the bypass:
from supertokens_rownd import RowndPluginConfig
rownd_plugin_config = RowndPluginConfig(
rownd_app_key="rownd_app_key",
rownd_app_secret="rownd_app_secret",
api_base_path="/auth",
api_domain="https://api.example.com",
website_domain="https://example.com",
client_domains={"browser": "https://app.example.com"},
cross_device_confirmation_bypass={
"allowed_redirect_paths": ["/profile", "/settings/security"],
},
)
Then call the helper from your backend after SuperTokens has been initialized with the Rownd plugin:
from supertokens_rownd import create_magic_link_with_confirmation_bypass
magic_link = await create_magic_link_with_confirmation_bypass(
email="user@example.com",
client_domain="browser",
redirect_to_path="/profile",
display_context="browser",
)
redirect_to_path is required and must match cross_device_confirmation_bypass.allowed_redirect_paths exactly after normalization. Absolute URLs are accepted only when their origin matches the resolved client_domain; they are normalized back to a relative path before being added to the magic link.
client_domain must be a configured client_domains key, not a raw domain. Omit it to use website_domain.
Pass exactly one of email or phone_number. The helper returns the rewritten magic link with bypassDeviceConfirmation=true.
Before skipping the cross-device confirmation prompt, the frontend should validate the callback against the plugin:
- POST
/plugin/passwordless-cross-device-confirmation/validate - Body:
{ "clientDomain": "browser", "redirectToPath": "/profile", "appVariantId": "optional_variant" } - Success response:
{ "status": "OK", "bypass": true }
If validation fails, the frontend should show the normal cross-device confirmation prompt.
Apple sign-in methods may include SuperTokens client type mapping fields:
"signInMethods": [
{
"method": "apple",
"clientId": "com.example.service",
"webClientType": "web",
"iosClientType": "ios",
"androidClientType": "android",
}
]
See OAUTH_MIGRATION_TUTORIAL.md for OAuth/OIDC client migration steps.
Notes
The Python SDK plugin API does not currently pass app_info into plugin route construction. Configure api_base_path, api_domain, website_domain, and app_name on the Rownd plugin so it can register routes and rewrite Rownd hub links consistently.
api_base_path must match InputAppInfo.api_base_path. If these differ, Rownd plugin routes are mounted at the Rownd plugin value, not the SuperTokens app value.
api_domain should match InputAppInfo.api_domain. This value is added to rewritten Rownd hub links so browser and mobile flows can call back to the correct API domain.
website_domain should match InputAppInfo.website_domain. It is required when create_magic_link_with_confirmation_bypass is called without client_domain.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file supertokens_rownd-0.1.1.tar.gz.
File metadata
- Download URL: supertokens_rownd-0.1.1.tar.gz
- Upload date:
- Size: 47.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.16 {"installer":{"name":"uv","version":"0.11.16","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
01c52adcf4b9278f55c149a93b0db7738d13c70f9976303ada5328e18d347ab5
|
|
| MD5 |
003200ffe5fc6105c5d8388b1f33d6e2
|
|
| BLAKE2b-256 |
fd0b1d423a0ae4ef1ece0d53ef4e25f94350bd38e99900c5f854c8a763875dd8
|
File details
Details for the file supertokens_rownd-0.1.1-py3-none-any.whl.
File metadata
- Download URL: supertokens_rownd-0.1.1-py3-none-any.whl
- Upload date:
- Size: 27.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.16 {"installer":{"name":"uv","version":"0.11.16","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1f84b51f89fa4975ed14260b638c9d9222b829dfc66e1931a7d498613ace5044
|
|
| MD5 |
5956bd035c4b9b949a480726e7aebf0f
|
|
| BLAKE2b-256 |
898765c1785b07e037efed5a69f5ce6a22703fa4919e6c04cb5f70adb4d0832c
|