Skip to content

FAQ

JSON or cookie delivery? JSON if your client is non-browser (mobile, curl, CLI) or your frontend stores tokens itself. Cookies (with CSRF) if you serve a same-origin SPA — the browser handles storage; HttpOnly makes the tokens invisible to XSS; SameSite mitigates CSRF.

HS256 or RS256? HS256 for single-process apps. RS256 (JWKS) the moment a second service needs to verify tokens — the resource service only needs the public key, never the secret.

Where do I store the secret? Generate with fastauth generate-secret. In prod, load from an environment variable or a secrets manager. The secret must be ≥32 bytes.

Does registration send a verification email? No. Call POST /auth/request-verify-email explicitly.

Does /auth/login require email_verified? No. Gating on email_verified for credentials is your responsibility — allow_signin is not called by /auth/login.

Can a logged-in user link another OAuth account? Yes. GET /auth/oauth/{provider}/link?redirect_uri=... (Bearer auth) → then /link/callback (state-bound, no Bearer needed).

Are access tokens revocable? Not individually. Refresh tokens are revocable via the JTI allowlist (/auth/token/revoke, /auth/logout). To invalidate access tokens immediately, shorten access_token_ttl and rotate keys, or implement a per-user tokens_invalidated_at check in your own middleware (FastAuth does not provide this out of the box).

Are auto-generated RSA keys persistent? No. They are regenerated on every initialize_jwks(). Provide your own PEM keys in production.

Should I use MemorySessionBackend in production? Only in single-process deployments. Any multi-worker or multi-host setup needs RedisSessionBackend (or a similar shared SessionBackend) so OAuth state and passkey challenges are visible across workers.

Is session_strategy="database" supported? Not yet. It is reserved for a future server-side session model. The auth routes today always issue JWT pairs. To use /auth/sessions endpoints, set auth.session_adapter = adapter.session — that is independent of session_strategy.

Can I use my own ORM? Yes. Implement the protocols in fastauth.core.protocols (UserAdapter at minimum; TokenAdapter for refresh/verification/reset; others for the features you use). See Custom adapter.

Why does examples/basic return 403 on /admin? That example (as of v0.5.7) uses require_role("admin") and require_permission("reports:read") without setting auth.role_adapter. It is a documentation bug we are fixing; see RBAC guide for the correct wiring. (tracked)

How does /auth/refresh read the refresh token? From the JSON body {"refresh_token": "..."} (no CSRF) or from the refresh_token cookie (then the CSRF header is checked). It does not read from Authorization: Bearer. Use the body form in non-cookie clients.

Where can I see runnable examples? examples/ in the repo: basic, oauth, magic_link, passkeys, full, jwt-microservice, custom_templates. See README.