Skip to main content

Install

Quick Start

One dependency protects your entire API:
After verification succeeds, grant is a fully typed VerifiedGrant dataclass with the principal, agent, scopes, and timestamps.

How It Works

  1. GrantexAuth extracts the Bearer token from the Authorization header
  2. It verifies the RS256 signature against the Grantex JWKS endpoint
  3. On success, a VerifiedGrant is returned and injected into your handler
  4. .scopes() optionally checks that the grant contains all required scopes
  5. Errors are converted to JSON responses by grantex_exception_handler

Token Verification Only

Use Depends(grantex) to verify the token without checking scopes:

Scope Enforcement

Use Depends(grantex.scopes(...)) to verify the token AND check scopes in one step:

Via function call

Check scopes inside the route handler with require_scopes():

Custom Token Extraction

By default, the middleware reads the Authorization: Bearer <token> header. Override this with token_extractor:

Error Handling

Register the built-in exception handler to return JSON error responses:
Or write a custom handler:

Error Codes


grant Reference

The VerifiedGrant dataclass contains:

Full Example

A complete FastAPI application protected by Grantex:

API Reference

GrantexAuth(jwks_uri, *, clock_tolerance=0, audience=None, token_extractor=None)

Creates a Grantex authentication dependency.

grantex.scopes(*required_scopes)

Returns a dependency that verifies the token AND checks all required scopes.

require_scopes(grant, *scopes)

Standalone function that checks scopes on an already-verified grant. Raises GrantexFastAPIError with SCOPE_INSUFFICIENT if any scope is missing.

grantex_exception_handler(request, exc)

Starlette exception handler that converts GrantexFastAPIError to a JSON response.

Requirements

  • Python 3.9+
  • FastAPI >= 0.100.0
  • grantex >= 0.1.0
Last modified on July 11, 2026