FAQ¶
JSON or cookie delivery?
JSON if your client is non-browser (mobile, curl, CLI) or your frontend stores tokens itself. Cookies (with CSRF) if you serve a same-origin SPA — the browser handles storage; HttpOnly makes the tokens invisible to XSS; SameSite mitigates CSRF.
HS256 or RS256? HS256 for single-process apps. RS256 (JWKS) the moment a second service needs to verify tokens — the resource service only needs the public key, never the secret.
Where do I store the secret?
Generate with fastauth generate-secret. In prod, load from an environment variable or a secrets manager. The secret must be ≥32 bytes.
Does registration send a verification email?
No. Call POST /auth/request-verify-email explicitly.
Does /auth/login require email_verified?
No. Gating on email_verified for credentials is your responsibility — allow_signin is not called by /auth/login.
Can a logged-in user link another OAuth account?
Yes. GET /auth/oauth/{provider}/link?redirect_uri=... (Bearer auth) → then /link/callback (state-bound, no Bearer needed).
Are access tokens revocable?
Not individually. Refresh tokens are revocable via the JTI allowlist (/auth/token/revoke, /auth/logout). To invalidate access tokens immediately, shorten access_token_ttl and rotate keys, or implement a per-user tokens_invalidated_at check in your own middleware (FastAuth does not provide this out of the box).
Are auto-generated RSA keys persistent?
No. They are regenerated on every initialize_jwks(). Provide your own PEM keys in production.
Should I use MemorySessionBackend in production?
Only in single-process deployments. Any multi-worker or multi-host setup needs RedisSessionBackend (or a similar shared SessionBackend) so OAuth state and passkey challenges are visible across workers.
Is session_strategy="database" supported?
Not yet. It is reserved for a future server-side session model. The auth routes today always issue JWT pairs. To use /auth/sessions endpoints, set auth.session_adapter = adapter.session — that is independent of session_strategy.
Can I use my own ORM?
Yes. Implement the protocols in fastauth.core.protocols (UserAdapter at minimum; TokenAdapter for refresh/verification/reset; others for the features you use). See Custom adapter.
Why does examples/basic return 403 on /admin?
That example (as of v0.5.7) uses require_role("admin") and require_permission("reports:read") without setting auth.role_adapter. It is a documentation bug we are fixing; see RBAC guide for the correct wiring. (tracked)
How does /auth/refresh read the refresh token?
From the JSON body {"refresh_token": "..."} (no CSRF) or from the refresh_token cookie (then the CSRF header is checked). It does not read from Authorization: Bearer. Use the body form in non-cookie clients.
Where can I see runnable examples?
examples/ in the repo: basic, oauth, magic_link, passkeys, full, jwt-microservice, custom_templates. See README.