Skip to content

In here you will find the API for everything exposed in this extension.

Configuring FastAPI PASETO Auth

load_config(callback): This decorator sets the callback function to overwrite state on AuthPASETO class so when you initialize an instance in dependency injection default value will be overwritten.

The callback must be a function that returns a list of tuple or pydantic object.

token_in_denylist_loader(callback): This decorator sets the callback function that will be called when a protected endpoint is accessed and will check if the PASETO has been revoked. By default, this callback is not used.

The callback must be a function that takes `one` argument, which is the decoded PASETO (python dictionary),
and returns `True` if the token has been revoked, or `False` otherwise.

Protected Endpoint

paseto_required(optional: bool = False, fresh: bool = False, refresh_token: bool = False, type: str = access, base64_encoded: bool = False):

If you call this function, it will ensure that the requester has a valid access token before
executing the code below your router. Depending on set options, it might not raise an exception even if the check fails.*

* Parameters:
    **optional**: Defines whether the check should continue even if no PASETO is found.\
                  (An exception will still always be raised if an invalid one is found.)
    **fresh**: If set to True, requires any PASETO found to be a fresh access token.
    **refresh_token**: If set to True, checks for a refresh token instead of an access token.
    **type**: If set to a string, this gets checked against the type of the token provided. Used for custom types other than access or refresh tokens.
    **base64_encoded**: Whether the token to check is base64 encoded.
* Returns: None

Utilities

create_access_token (subject, fresh=False, purpose=None, headers=None, expires_time=None, audience=None, user_claims={}, base64_encode: bool = False):

*Create a new access token.*

* Parameters:
    **subject**: Identifier for who this token is for example id or username from database
    **fresh**: Identify if token is fresh or non-fresh
    **purpose**: Purpose for the PASETO
    **headers**: Valid dict for specifying additional headers in PASETO header section
    **expires_time**: Set the duration of the PASETO
    **audience**: Expected audience in the PASETO
    **user_claims**: Custom claims to include in this token. This data must be dictionary
    **base64_encode**: If true the created token will be base64 encoded. This is useful for if you need to pass the token somewhere where special characters might cause issues.
* Returns: An encoded access token

create_refresh_token(subject, purpose=None, headers=None, expires_time=None, audience=None, user_claims={}, base64_encode: bool = False):

*Creates a new refresh token.*

* Parameters:
    **subject**: Identifier for who this token is for example id or username from database
    **purpose**: Purpose for the PASETO
    **headers**: Valid dict for specifying additional headers in PASETO header section
    **expires_time**: Set the duration of the PASETO
    **audience**: Expected audience in the PASETO
    **user_claims**: Custom claims to include in this token. This data must be dictionary
    **base64_encode**: If true the created token will be base64 encoded. This is useful for if you need to pass the token somewhere where special characters might cause issues.
* Returns: An encoded refresh token

create_token(subject, type, purpose=None, headers=None, expires_time=None, audience=None, user_claims={}, base64_encode: bool = False):

*Creates a new refresh token.*

* Parameters:
    **subject**: Identifier for who this token is for example id or username from database
    **type**: Type of the token to be created
    **purpose**: Purpose for the PASETO
    **headers**: Valid dict for specifying additional headers in PASETO header section
    **expires_time**: Set the duration of the PASETO
    **audience**: Expected audience in the PASETO
    **user_claims**: Custom claims to include in this token. This data must be dictionary
    **base64_encode**: If true the created token will be base64 encoded. This is useful for if you need to pass the token somewhere where special characters might cause issues.
* Returns: An encoded refresh token

get_token_payload():

*This will return the python dictionary which has all of the claims of the PASETO that is accessing the endpoint.
If no PASETO is currently present, return `None` instead.*

* Parameters: None
* Returns: Dictionary that contains the claims of PASETO

get_jti():

*Returns the JTI (unique identifier) of an the PASETO that is accessing the endpoint*

* Parameters: None
* Returns: String of JTI

get_subject():

*This will return the subject of the PASETO that is accessing the endpoint.
If no PASETO is present, `None` is returned instead.*