from authfort import CookieConfig from authfort import CookieConfig
Field Type Default Description secureboolTrueHTTPS only httponlyboolTrueNo JavaScript access samesiteLiteral["lax", "strict", "none"]"lax"SameSite policy pathstr"/"Cookie path domainstr | NoneNoneCookie domain (e.g., ".example.com" for subdomains) access_cookie_namestr"access_token"Access token cookie name refresh_cookie_namestr"refresh_token"Refresh token cookie name
# Default — HTTPS, HttpOnly, Lax cookie = CookieConfig() # Local development cookie = CookieConfig( secure = False ) # Subdomain sharing cookie = CookieConfig( domain = ".example.com" ) # Strict same-site (no cross-origin) cookie = CookieConfig( samesite = "strict" ) # Cross-origin (requires secure=True) cookie = CookieConfig( samesite = "none" ) # Default — HTTPS, HttpOnly, Lax cookie = CookieConfig() # Local development cookie = CookieConfig( secure = False ) # Subdomain sharing cookie = CookieConfig( domain = ".example.com" ) # Strict same-site (no cross-origin) cookie = CookieConfig( samesite = "strict" ) # Cross-origin (requires secure=True) cookie = CookieConfig( samesite = "none" )
from authfort import GoogleProvider from authfort import GoogleProvider
Field Type Default Description client_idstr— (required) Google OAuth client ID client_secretstr— (required) Google OAuth client secret extra_scopestuple[str, ...]()Additional OAuth scopes beyond required ones
REQUIRED_SCOPES: ("openid", "email", "profile") — always included automatically.
Property Value name"google"authorize_url"https://accounts.google.com/o/oauth2/v2/auth"token_url"https://oauth2.googleapis.com/token"
from authfort import GitHubProvider from authfort import GitHubProvider
Field Type Default Description client_idstr— (required) GitHub OAuth client ID client_secretstr— (required) GitHub OAuth client secret extra_scopestuple[str, ...]()Additional OAuth scopes beyond required ones
REQUIRED_SCOPES: ("read:user", "user:email") — always included automatically.
Property Value name"github"authorize_url"https://github.com/login/oauth/authorize"token_url"https://github.com/login/oauth/access_token"
from authfort import GenericOAuthProvider
Field Type Default Description namestr— (required, positional) Provider name client_idstr— (required) OAuth client ID client_secretstr— (required) OAuth client secret authorize_urlstr— (required) Authorization endpoint URL token_urlstr— (required) Token endpoint URL userinfo_urlstr— (required) Userinfo endpoint URL scopestuple[str, ...]()OAuth scopes extra_scopestuple[str, ...]()Additional OAuth scopes map_user_infocallable | NoneNoneCustom function to map userinfo response redirect_uristr | NoneNoneCustom redirect URI
from authfort import GenericOIDCProvider
Field Type Default Description namestr— (required, positional) Provider name client_idstr— (required) OAuth client ID client_secretstr— (required) OAuth client secret discovery_urlstr— (required) OpenID Connect discovery URL scopestuple[str, ...]("openid", "email", "profile")OAuth scopes extra_scopestuple[str, ...]()Additional OAuth scopes map_user_infocallable | NoneNoneCustom function to map userinfo response discovery_ttlfloat3600Discovery document cache TTL in seconds redirect_uristr | NoneNoneCustom redirect URI
Endpoints are auto-discovered from the .well-known/openid-configuration URL.
from authfort import RateLimitConfig
Per-endpoint rate limits. Pass to AuthFort(rate_limit=...) to enable rate limiting. Set individual fields to None to skip rate limiting for that endpoint.
Field Type Default Description loginstr | None"5/min"Login endpoint signupstr | None"3/min"Signup endpoint magic_linkstr | None"5/min"Magic link request endpoint otpstr | None"5/min"OTP request and verify endpoints verify_emailstr | None"5/min"Email verification endpoint refreshstr | None"30/min"Token refresh endpoint oauth_authorizestr | None"10/min"OAuth authorization endpoint
Format: "{count}/{period}" where period is sec, min, hour, or day.
auth = AuthFort ( database_url = " ... " , rate_limit = RateLimitConfig ())
# Override specific endpoints
rate_limit = RateLimitConfig ( login = " 10/min " , signup = " 5/min " ) ,
# Disable rate limiting for refresh
rate_limit = RateLimitConfig ( refresh = None ) ,
from authfort.ratelimit import RateLimitStore
Protocol for custom rate limit storage backends (e.g., Redis). The default is InMemoryStore (sliding window counter, thread-safe).
Method Signature Description hithit(key, limit) -> (allowed, remaining, retry_after)Record a hit and check if limit exceeded resetreset(key=None) -> NoneReset state for a key, or all keys if None
Internal configuration object, accessible via auth.config. Read-only.
Field Type Description database_urlstrDatabase connection string access_token_expire_secondsintAccess token TTL refresh_token_expire_secondsintRefresh token TTL jwt_issuerstrJWT issuer claim cookieCookieConfig | NoneCookie config key_rotation_ttl_secondsintKey rotation interval introspect_secretstr | NoneIntrospection secret allow_signupboolPublic signup enabled password_reset_ttl_secondsintReset token TTL rsa_key_sizeintRSA key size in bits (default 2048) frontend_urlstr | NoneFrontend origin for cross-origin OAuth redirects email_verify_ttl_secondsintEmail verification token TTL magic_link_ttl_secondsintMagic link token TTL email_otp_ttl_secondsintEmail OTP code TTL allow_passwordless_signupboolAuto-create users via magic link/OTP rate_limitRateLimitConfig | NoneRate limiting config (None = disabled)
