Vanty App: identity, sessions, MFA, organizations, RBAC, social, API keys.
Project description
Vanty Auth
Drop-in authentication toolkit for FastAPI with Tortoise ORM. Sessions, MFA, organizations, API keys, social login, and admin management in a single pip install.
Installation
pip install vanty-auth
# or
uv pip install vanty-auth
Quick start
from contextlib import asynccontextmanager
from fastapi import FastAPI
from vanty_auth import AuthSettings, mount_auth_router
settings = AuthSettings(
database_url="sqlite://./vanty-auth.db",
secret_key="change-me",
)
app = FastAPI()
kit = mount_auth_router(app, settings=settings)
@asynccontextmanager
async def lifespan(_: FastAPI):
await kit.init_orm(generate_schemas=True)
try:
yield
finally:
await kit.close_orm()
app.router.lifespan_context = lifespan
Run with uvicorn main:app --reload and visit /docs for the interactive API explorer.
Features
- Email/password authentication with argon2 hashing, email verification, and password reset
- Session management with JWT access tokens, refresh tokens, and secure cookie sessions
- Multi-factor authentication via TOTP with recovery codes
- Organizations with invitations, member roles, ownership transfer, and multi-tenancy
- API key authentication with scoped permissions
- Social login via OAuth2 providers (Google, GitHub, extensible)
- RBAC with custom roles and permissions
- Admin management endpoints for super-admin operations
- Security monitoring with login attempt tracking and IP blocking
- Provider administration for managing auth methods per-organization
Architecture
AuthApp is a composition root that wires all services. Access services directly:
kit = mount_auth_router(app, settings=settings)
# Direct service access
await kit.auth_service.signup(request, email=email, password=password)
await kit.organization_service.create_organization(name="Acme", owner_id=user_id)
await kit.mfa_service.enable_totp(user_id=user_id)
await kit.api_key_service.create_key(user_id=user_id, name="ci-token")
Available services on AuthApp:
| Service | Purpose |
|---|---|
auth_service |
Signup, login, password reset, email verification |
session_service |
Token refresh, session listing, revocation |
mfa_service |
TOTP enrollment, verification, recovery codes |
organization_service |
Org CRUD, members, invitations, ownership |
api_key_service |
API key creation, revocation, listing |
social_service |
OAuth2 flow initiation, callback, account linking |
security_service |
Login attempt tracking, IP blocking |
provider_admin_service |
Auth provider management per organization |
admin_service |
Super-admin user and org management |
Configuration
All settings are read from environment variables with the AUTH_ prefix, or passed directly to AuthSettings.
| Setting | Default | Description |
|---|---|---|
database_url |
sqlite://./vanty-auth.db |
Tortoise ORM database URL |
secret_key |
change-me |
Secret for JWT signing and encryption |
base_url |
http://localhost:8000 |
Public base URL for callbacks |
access_token_ttl_seconds |
900 |
JWT access token lifetime |
refresh_token_ttl_seconds |
604800 |
Refresh token lifetime (7 days) |
session_ttl_seconds |
604800 |
Session cookie lifetime (7 days) |
auth_backends |
["bearer", "api_key", "session"] |
Enabled authentication backends |
provider_apps |
{} |
Social provider credentials |
allow_org_creation |
true |
Whether users can create organizations |
max_login_attempts_before_block |
10 |
Failed logins before IP block |
Set via environment: AUTH_KIT_SECRET_KEY=my-secret AUTH_KIT_DATABASE_URL=postgres://...
API surface
Public routes (/auth)
| Method | Path | Description |
|---|---|---|
POST |
/signup |
Register a new account |
POST |
/login |
Authenticate with email/password |
POST |
/logout |
End the current session |
POST |
/refresh |
Refresh access token |
POST |
/forgot-password |
Request password reset email |
POST |
/reset-password |
Complete password reset |
GET |
/verify-email |
Verify email address |
GET |
/me |
Get current user profile |
PATCH |
/me |
Update profile |
DELETE |
/me |
Delete account |
GET |
/sessions |
List active sessions |
DELETE |
/sessions/{id} |
Revoke a session |
POST |
/mfa/totp/setup |
Begin TOTP enrollment |
POST |
/mfa/totp/verify |
Complete TOTP enrollment |
POST |
/mfa/totp/validate |
Validate TOTP during login |
POST |
/mfa/disable |
Disable MFA |
GET |
/mfa/recovery-codes |
Get recovery codes |
POST |
/organizations |
Create organization |
GET |
/organizations/{id} |
Get organization details |
PATCH |
/organizations/{id} |
Update organization |
DELETE |
/organizations/{id} |
Delete organization |
GET |
/organizations/{id}/members |
List members |
POST |
/organizations/{id}/invite |
Invite member |
POST |
/invitations/{id}/accept |
Accept invitation |
POST |
/invitations/{id}/decline |
Decline invitation |
DELETE |
/invitations/{id} |
Revoke invitation |
PATCH |
/organizations/{id}/members/{uid}/role |
Update member role |
DELETE |
/organizations/{id}/members/{uid} |
Remove member |
POST |
/api-keys |
Create API key |
GET |
/api-keys |
List API keys |
DELETE |
/api-keys/{id} |
Revoke API key |
GET |
/social/{provider}/start |
Begin OAuth2 flow |
GET |
/social/{provider}/callback |
OAuth2 callback |
GET |
/providers |
List enabled auth providers |
Admin routes (/admin/auth)
Super-admin endpoints for platform-wide management. Mount separately:
app.include_router(kit.admin_router, prefix="/admin/auth")
Project layout
src/vanty_auth/ Package source
docs/ Documentation
examples/reference-api/ Reference FastAPI application
examples/reference-web/ Reference frontend (React + Orval)
tests/ pytest suite (unit + integration)
Development
git clone https://github.com/advantch/vanty-auth.git
cd vanty-auth
uv sync --dev
# Lint
uv run ruff check
# Test
uv run pytest -q
# Run reference API
cd examples/reference-api && uv run uvicorn main:app --reload
# Run reference frontend
cd examples/reference-web && pnpm install && pnpm run dev
Use uv run pytest --no-cov tests/path/to/test.py for targeted debugging without the coverage gate.
Regenerating the frontend client
cd examples/reference-web
pnpm run generate:api
This refreshes the OpenAPI spec from the reference API and re-runs Orval.
Extending providers
New OAuth providers go under src/vanty_auth/social/providers/. Register the provider in the default registry and supply credentials through AuthSettings.provider_apps or the ProviderApp database table.
Releasing
Tags trigger the release workflow. The GitHub Actions pipeline builds, creates a GitHub release, and publishes to PyPI automatically.
git tag v0.2.0
git push origin v0.2.0
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vanty_auth-0.3.0.tar.gz.
File metadata
- Download URL: vanty_auth-0.3.0.tar.gz
- Upload date:
- Size: 301.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a1811bf05234c8078071477376fd682f1f2677245ff8f5d54248aed8b2405520
|
|
| MD5 |
7951f21d3163156e170eaa3b4074bae7
|
|
| BLAKE2b-256 |
84df3cedb4bc56e62edb58681653a326e0664e2ebd74aef394b815b16df76c9d
|
Provenance
The following attestation bundles were made for vanty_auth-0.3.0.tar.gz:
Publisher:
release.yml on advantch/vanty-auth
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
vanty_auth-0.3.0.tar.gz -
Subject digest:
a1811bf05234c8078071477376fd682f1f2677245ff8f5d54248aed8b2405520 - Sigstore transparency entry: 1409639538
- Sigstore integration time:
-
Permalink:
advantch/vanty-auth@01d1042d22e67ce1c4da4867bba5e9fae43f9e13 -
Branch / Tag:
refs/tags/v0.3.0 - Owner: https://github.com/advantch
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@01d1042d22e67ce1c4da4867bba5e9fae43f9e13 -
Trigger Event:
push
-
Statement type:
File details
Details for the file vanty_auth-0.3.0-py3-none-any.whl.
File metadata
- Download URL: vanty_auth-0.3.0-py3-none-any.whl
- Upload date:
- Size: 67.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bacb0675716693641db59fe015de5f93d27ef1cec6989b117225c19f3b5b9a33
|
|
| MD5 |
43b946d777d52a9a9e1c293e24819da1
|
|
| BLAKE2b-256 |
662d24a22f9f53575074d2d31172c3a5678135603ef48848c284750cf742ed0d
|
Provenance
The following attestation bundles were made for vanty_auth-0.3.0-py3-none-any.whl:
Publisher:
release.yml on advantch/vanty-auth
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
vanty_auth-0.3.0-py3-none-any.whl -
Subject digest:
bacb0675716693641db59fe015de5f93d27ef1cec6989b117225c19f3b5b9a33 - Sigstore transparency entry: 1409639549
- Sigstore integration time:
-
Permalink:
advantch/vanty-auth@01d1042d22e67ce1c4da4867bba5e9fae43f9e13 -
Branch / Tag:
refs/tags/v0.3.0 - Owner: https://github.com/advantch
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@01d1042d22e67ce1c4da4867bba5e9fae43f9e13 -
Trigger Event:
push
-
Statement type:
