Install
Quick Start
One dependency protects your entire API:grant is a fully typed VerifiedGrant dataclass with the principal, agent, scopes, and timestamps.
How It Works
GrantexAuthextracts the Bearer token from theAuthorizationheader- It verifies the RS256 signature against the Grantex JWKS endpoint
- On success, a
VerifiedGrantis returned and injected into your handler .scopes()optionally checks that the grant contains all required scopes- Errors are converted to JSON responses by
grantex_exception_handler
Token Verification Only
UseDepends(grantex) to verify the token without checking scopes:
Scope Enforcement
Via dependency (recommended)
UseDepends(grantex.scopes(...)) to verify the token AND check scopes in one step:
Via function call
Check scopes inside the route handler withrequire_scopes():
Custom Token Extraction
By default, the middleware reads theAuthorization: Bearer <token> header. Override this with token_extractor:
Error Handling
Register the built-in exception handler to return JSON error responses:Error Codes
grant Reference
The VerifiedGrant dataclass contains:
Full Example
A complete FastAPI application protected by Grantex:API Reference
GrantexAuth(jwks_uri, *, clock_tolerance=0, audience=None, token_extractor=None)
Creates a Grantex authentication dependency.
grantex.scopes(*required_scopes)
Returns a dependency that verifies the token AND checks all required scopes.
require_scopes(grant, *scopes)
Standalone function that checks scopes on an already-verified grant. Raises GrantexFastAPIError with SCOPE_INSUFFICIENT if any scope is missing.
grantex_exception_handler(request, exc)
Starlette exception handler that converts GrantexFastAPIError to a JSON response.
Requirements
- Python 3.9+
- FastAPI >= 0.100.0
grantex>= 0.1.0