Architecture¶
FastAuth is organized in four layers. Knowing them helps you understand which object to customize.
flowchart LR
subgraph Your app
APP[FastAPI app]
ROUTES["Your routes<br/>Depends(require_auth)"]
end
subgraph FastAuth
CONFIG[FastAuthConfig]
FA[FastAuth instance]
ROUTER["api/router.py<br/>/auth/* routes"]
DEPS["api/deps.py<br/>require_auth / require_role"]
CORE["core/<br/>tokens, oauth, rbac, emails, jwks"]
PROV["providers/<br/>Credentials, Google, GitHub,<br/>MagicLinks, Passkey"]
end
subgraph Your DB
ADAPTER["adapters/<br/>SQLAlchemy | Memory | Custom"]
end
CONFIG --> FA
FA --> ROUTER
FA --> DEPS
ROUTER --> CORE
ROUTER --> PROV
CORE --> ADAPTER
FA -. role_adapter / session_adapter .-> ADAPTER
APP -->|auth.mount| ROUTER
APP --> ROUTES
ROUTES --> DEPS
DEPS --> CORE
Layers¶
- Config (
fastauth.config):FastAuthConfig,JWTConfig,PasswordConfig,SecurityConfig. Validated on construction. FastAuthinstance (fastauth.app): holdsconfig,jwks_manager,email_dispatcher, and the post-constructionrole_adapter/session_adapterhandles.mount(app)wires the routes.- Routing + dependencies (
fastauth.api): the/auth/*routes and therequire_auth/require_role/require_permissionFastAPI dependencies your app consumes. - Providers, core, adapters (
fastauth.providers,fastauth.core,fastauth.adapters): providers know how to authenticate a user (credentials, OAuth, magic link, passkey); core implements JWT, OAuth flow, RBAC, email dispatch, JWKS; adapters persist users/tokens/sessions/roles/oauth/passkeys.
How a request flows¶
POST /auth/login→ router →CredentialsProvider.authenticate(adapter, email, password, token_adapter, security, client_ip)→ returnsUserData→ router issues a JWT pair viacore.tokens.async_create_token_pair→ iftoken_adapterset, the refresh JTI is stored → iftoken_delivery="cookie", cookies are set on the response.GET /your/routewithDepends(require_auth)→api.deps.get_current_userreads token from header or cookie, decodes viacore.tokens.decode_token, loads the user viaadapter.get_user_by_id→ if token came from a cookie and the method is unsafe (POST/PUT/PATCH/DELETE),enforce_cookie_csrfvalidates theX-CSRF-Tokenheader against thecsrf_tokencookie.
Design rules¶
- Core is DB-agnostic. Business logic lives in
core/andapi/;adapters/only persists and reads. - Adapters are protocols.
UserAdapter,TokenAdapter,SessionAdapter,RoleAdapter,OAuthAccountAdapter,PasskeyAdapteraretyping.Protocols infastauth.core.protocols. Implement any of them; FastAuth doesn't care. - Assign
role_adapter/session_adapterafter construction. Unlikeadapterandtoken_adapter(which go inFastAuthConfig), these are assigned afterFastAuth(config)because the/auth/sessionsand/auth/rolesendpoints return400 "… not configured"until you do. See RBAC and Tokens & sessions.