Configuration¶
fastauth.config.FastAuthConfig
dataclass
¶
Top-level configuration for a :class:~fastauth.app.FastAuth instance.
The three required fields are secret, providers, and adapter. All other fields have sensible defaults.
Attributes:
| Name | Type | Description |
|---|---|---|
secret |
str
|
HMAC shared secret used to sign tokens when |
providers |
list[Any]
|
One or more provider instances — e.g. |
adapter |
UserAdapter
|
A :class: |
jwt |
JWTConfig
|
JWT signing and TTL configuration; defaults to HS256 with 15-minute access tokens. |
session_strategy |
Literal['jwt', 'database']
|
Currently informational only. FastAuth always issues
JWT token pairs on register/login/refresh. The |
route_prefix |
str
|
URL prefix for all FastAuth endpoints (default: |
session_backend |
SessionBackend | None
|
Reserved for the future |
email_transport |
EmailTransport | None
|
Transport used to deliver verification and password-reset emails. Omit to disable email flows entirely. |
email_template_dir |
str | Path | None
|
Directory containing custom Jinja2 email templates.
Any file placed here overrides the corresponding built-in template;
templates not present in this directory fall back to the built-in ones.
See the :ref: |
hooks |
EventHooks | None
|
An :class: |
oauth_adapter |
OAuthAccountAdapter | None
|
Adapter for persisting linked OAuth accounts. |
oauth_state_store |
SessionBackend | None
|
Session backend used to store OAuth CSRF state. |
oauth_redirect_url |
str | None
|
Frontend URL FastAuth 302s to after a successful
OAuth callback (e.g. |
oauth_allowed_redirect_uris |
list[str] | None
|
Exact OAuth provider callback URLs allowed
in |
token_adapter |
TokenAdapter | None
|
Adapter for persisting one-time verification/reset tokens and refresh-token JTIs for revocation/replay protection. |
require_token_adapter_for_refresh |
bool
|
Require |
base_url |
str
|
Public base URL of your application; used when building email verification / password-reset links. |
cors_origins |
list[str] | None
|
Allowed CORS origins. |
roles |
list[dict[str, Any]] | None
|
Seed role definitions applied on startup. |
default_role |
str | None
|
Role automatically assigned to every new user. |
debug |
bool
|
Relaxes cookie security ( |
token_delivery |
Literal['json', 'cookie']
|
|
cookie_name_access |
str
|
Name of the access-token cookie (default:
|
cookie_name_refresh |
str
|
Name of the refresh-token cookie (default:
|
cookie_secure |
bool | None
|
Explicit |
cookie_httponly |
bool
|
|
cookie_samesite |
Literal['lax', 'strict', 'none']
|
|
cookie_domain |
str | None
|
Optional domain scope for cookies. |
csrf_enabled |
bool
|
Whether cookie-authenticated unsafe requests require a
matching CSRF cookie/header token (default: |
csrf_cookie_name |
str
|
Name of the readable CSRF cookie (default:
|
csrf_header_name |
str
|
Name of the request header containing the CSRF token
(default: |
password |
PasswordConfig
|
Password strength and validation settings. |
security |
SecurityConfig
|
Security settings including account lockout. |
fastauth.config.JWTConfig
dataclass
¶
JWT signing and validation settings.
All TTL values are in seconds.
Attributes:
| Name | Type | Description |
|---|---|---|
algorithm |
JWTAlgorithm
|
Signing algorithm — |
access_token_ttl |
int
|
Lifetime of access tokens (default: 900 = 15 minutes). |
refresh_token_ttl |
int
|
Lifetime of refresh tokens (default: 2 592 000 = 30 days). |
issuer |
str | None
|
Optional |
audience |
list[str] | None
|
Optional |
jwks_enabled |
bool
|
When |
key_rotation_interval |
int | None
|
Seconds between automatic RSA key rotations when
|
private_key |
str | None
|
PEM-encoded RSA private key (required for RS256/RS512). |
public_key |
str | None
|
PEM-encoded RSA public key (required for RS256/RS512). |
fastauth.config.PasswordConfig
dataclass
¶
Password strength and security settings.
Attributes:
| Name | Type | Description |
|---|---|---|
min_length |
int
|
Minimum password length (default: 8). |
require_uppercase |
bool
|
Require at least one uppercase letter. |
require_lowercase |
bool
|
Require at least one lowercase letter. |
require_digit |
bool
|
Require at least one digit. |
require_special |
bool
|
Require at least one special character. |
max_length |
int
|
Maximum password length (default: 128). |
fastauth.config.SecurityConfig
dataclass
¶
Security settings including account lockout.
Attributes:
| Name | Type | Description |
|---|---|---|
max_login_attempts |
int
|
Maximum failed login attempts before lockout (default: 5). |
lockout_duration |
int
|
Duration of lockout in seconds (default: 300 = 5 minutes). |
login_attempts_by_ip |
bool
|
Also track failed credential login attempts by client IP when the request IP is available. Email-based throttling is always applied. |
use_memory_login_attempts_without_token_adapter |
bool
|
Enable provider-local in-memory failed-login tracking when no token_adapter is configured. This fallback is intended only for tests, demos, and single-process development; configure a token_adapter for production so login-attempt state is shared and durable. |