Skip to content

Production checklist

Before deploying FastAuth to production, work through these items.

Secrets

  • [ ] Generate secret with fastauth generate-secret and load it from a secret manager (not committed).
  • [ ] For RS256/RS512, supply PEM private_key / public_key from your secret manager. Do not rely on auto-generated keys — they are ephemeral and rotate on every restart.

Cookies

  • [ ] token_delivery="cookie" for browser apps (recommended).
  • [ ] cookie_samesite="lax" or "strict".
  • [ ] Let cookie_secure default (i.e. not debug) — serve strictly over HTTPS.
  • [ ] Leave csrf_enabled=True. Wire your client to send X-CSRF-Token.
  • [ ] debug=False (always, in prod).

OAuth

  • [ ] Set oauth_allowed_redirect_uris to the exact production callback URLs.
  • [ ] Use a shared oauth_state_store (RedisSessionBackend) — MemorySessionBackend will break under multiple workers.
  • [ ] Set oauth_redirect_url to your frontend post-callback URL, not the provider callback URL.

Passkeys

  • [ ] rp_id matches the production hostname; origin is https://....
  • [ ] Use a shared passkey_state_store (RedisSessionBackend).
  • [ ] Run over HTTPS in production (WebAuthn requires a secure context).

Email

  • [ ] Configure SMTPTransport over TLS (or your production transport).
  • [ ] Set base_url to your public origin.
  • [ ] Monitor delivery failures (bounces, delayed sends).

Database

  • [ ] Use PostgreSQL (or MySQL) — SQLite is dev-only.
  • [ ] Run adapter.create_tables() once on deploy; use Alembic for migrations when the schema changes.
  • [ ] Configure indexes for high-volume tables (fastauth_tokens, fastauth_sessions, fastauth_oauth_accounts) if you operate at scale.

Tokens

  • [ ] Set access_token_ttl and refresh_token_ttl deliberately. Shorter access = better blast-radius after logout; longer refresh = better UX.
  • [ ] Do not set require_token_adapter_for_refresh=False in production.

CORS

  • [ ] Set cors_origins to the exact list of allowed origins. Do not use ["*"] with credentials.

RBAC

  • [ ] Set auth.role_adapter = adapter.role.
  • [ ] Call await auth.initialize_roles() in the lifespan startup.
  • [ ] Bootstrap the first admin out-of-band (direct DB insert) before locking down endpoints.

Sessions

  • [ ] Set auth.session_adapter = adapter.session only if you actually want /auth/sessions endpoints. Otherwise leave it None (the endpoints return 400 until set, which is fine).

Monitoring

  • [ ] Audit log auth events (on_signup, on_signin, on_signout, on_password_reset, on_passkey_registered).
  • [ ] Alert on lockout frequency, OAuth state failures, JWKS fetch failures on resource services.

Maintainer release checklist

Before tagging a new version:

  • [ ] Bump version in packages/fastauth/pyproject.toml and __version__ in packages/fastauth/src/fastauth/__init__.py.
  • [ ] Update CHANGELOG.md (add a section under [Unreleased] and move it under a new version heading).
  • [ ] Refresh any stale doc/example version references (e.g. fastauth check output snippets).
  • [ ] Run the full local gate:
    uv run pytest tests/ -q
    uv run ruff check .
    uv run ruff format --check .
    uv run mkdocs build
    uv build --package sreekarnv-fastauth --out-dir dist
    
  • [ ] Verify uv build wheel includes LICENSE under dist-info/licenses/.
  • [ ] tag, push, let CI publish.