Production checklist¶
Before deploying FastAuth to production, work through these items.
Secrets¶
- [ ] Generate
secretwithfastauth generate-secretand load it from a secret manager (not committed). - [ ] For RS256/RS512, supply PEM
private_key/public_keyfrom your secret manager. Do not rely on auto-generated keys — they are ephemeral and rotate on every restart.
Cookies¶
- [ ]
token_delivery="cookie"for browser apps (recommended). - [ ]
cookie_samesite="lax"or"strict". - [ ] Let
cookie_securedefault (i.e.not debug) — serve strictly over HTTPS. - [ ] Leave
csrf_enabled=True. Wire your client to sendX-CSRF-Token. - [ ]
debug=False(always, in prod).
OAuth¶
- [ ] Set
oauth_allowed_redirect_uristo the exact production callback URLs. - [ ] Use a shared
oauth_state_store(RedisSessionBackend) —MemorySessionBackendwill break under multiple workers. - [ ] Set
oauth_redirect_urlto your frontend post-callback URL, not the provider callback URL.
Passkeys¶
- [ ]
rp_idmatches the production hostname;originishttps://.... - [ ] Use a shared
passkey_state_store(RedisSessionBackend). - [ ] Run over HTTPS in production (WebAuthn requires a secure context).
Email¶
- [ ] Configure
SMTPTransportover TLS (or your production transport). - [ ] Set
base_urlto your public origin. - [ ] Monitor delivery failures (bounces, delayed sends).
Database¶
- [ ] Use PostgreSQL (or MySQL) — SQLite is dev-only.
- [ ] Run
adapter.create_tables()once on deploy; use Alembic for migrations when the schema changes. - [ ] Configure indexes for high-volume tables (
fastauth_tokens,fastauth_sessions,fastauth_oauth_accounts) if you operate at scale.
Tokens¶
- [ ] Set
access_token_ttlandrefresh_token_ttldeliberately. Shorter access = better blast-radius after logout; longer refresh = better UX. - [ ] Do not set
require_token_adapter_for_refresh=Falsein production.
CORS¶
- [ ] Set
cors_originsto the exact list of allowed origins. Do not use["*"]with credentials.
RBAC¶
- [ ] Set
auth.role_adapter = adapter.role. - [ ] Call
await auth.initialize_roles()in the lifespan startup. - [ ] Bootstrap the first admin out-of-band (direct DB insert) before locking down endpoints.
Sessions¶
- [ ] Set
auth.session_adapter = adapter.sessiononly if you actually want/auth/sessionsendpoints. Otherwise leave itNone(the endpoints return400until set, which is fine).
Monitoring¶
- [ ] Audit log auth events (
on_signup,on_signin,on_signout,on_password_reset,on_passkey_registered). - [ ] Alert on lockout frequency, OAuth state failures, JWKS fetch failures on resource services.
Maintainer release checklist¶
Before tagging a new version:
- [ ] Bump
versioninpackages/fastauth/pyproject.tomland__version__inpackages/fastauth/src/fastauth/__init__.py. - [ ] Update
CHANGELOG.md(add a section under[Unreleased]and move it under a new version heading). - [ ] Refresh any stale doc/example version references (e.g.
fastauth checkoutput snippets). - [ ] Run the full local gate:
- [ ] Verify
uv buildwheel includesLICENSEunderdist-info/licenses/. - [ ] tag, push, let CI publish.