Composable authentication sources for FastAPI: bring your own validator, combine multiple schemes with MultiAuth, and get correct OpenAPI documentation by construction.
Documentation: https://fastapi-multiauth.d3vyce.fr
Source Code: https://github.com/d3vyce/fastapi-multiauth
fastapi-multiauth is the composable layer between the raw primitives of fastapi.security and opinionated frameworks like fastapi-users or AuthX. You provide the validator; the library handles extraction, scheme combination, and OpenAPI declaration. No database coupling, no user model, no ready-made login routes.
uv add fastapi-multiauthOptional extras pull in their dependencies on demand:
uv add "fastapi-multiauth[jwt]" # JWTValidator (PyJWT)
uv add "fastapi-multiauth[oauth]" # OAuth 2.0 / OIDC helpers (httpx-oauth)
uv add "fastapi-multiauth[jwt,oauth]"from fastapi import FastAPI, Security
from fastapi_multiauth import HTTPBearerAuth, APIKeyCookieAuth, MultiAuth, UnauthorizedError
async def validate_token(token: str) -> dict:
user = await lookup_user_by_token(token)
if user is None:
raise UnauthorizedError()
return user
async def validate_session(value: str) -> dict:
return await lookup_user_by_session(value)
bearer = HTTPBearerAuth(validate_token, prefix="user_")
session = APIKeyCookieAuth("session", validate_session, secret_key="...")
# Accept either an API token or a web session on the same route.
auth = MultiAuth(bearer, session)
app = FastAPI()
@app.get("/me")
async def me(user=Security(auth)):
return user- BYO validator: every source wraps a sync or async callable you provide; the library never touches your user model or database.
MultiAuth: try several sources in order on a single route (e.g. web session cookie + API bearer token), with all schemes documented in OpenAPI.- Built-in sources: covering the standard
fastapi.securityschemes:HTTPBearerAuth: bearer tokens with optional Stripe-styleuser_/org_prefixes to route different token types to different validators, plusgenerate_token()for secure token creation.APIKeyCookieAuth: cookie sessions with optional HMAC-SHA256 signing (via itsdangerous), embedded expiry, and key rotation.APIKeyHeaderAuth:X-API-Key-style schemes, withAPIKeyQueryAuthfor legacy clients that can only pass a query parameter.HTTPBasicAuth:validator(username, password)withWWW-Authenticaterealm support.
- Token hashing helpers:
hash_token/verify_token_hashpackage the "store the hash, never the token" pattern with constant-time comparison. - JWT validation (
fastapi-multiauth[jwt]extra):JWTValidatorforHTTPBearerAuth: HS256 or provider JWKS (Keycloak/Auth0/Entra/Authentik) with TTL caching and rotation-awarekidrefresh,aud/iss/expchecks, configurable scope claims, and aclaims_to_identityhook. - Security scopes:
Security(auth, scopes=[...])forwards the declared scopes to validators that accept ascopesparameter. - Correct HTTP semantics: 401 with
WWW-Authenticatechallenges (RFC 7235) and 403 viaForbiddenError. - OAuth 2.0 / OIDC helpers (
fastapi-multiauth[oauth]extra): async discovery with TTL caching, HTTPS enforcement, CSRF-protectedstateencoding, PKCE (S256), and code exchange delegated to httpx-oauth.
An honest map of where fastapi-multiauth sits. It is the composable layer between the raw primitives of fastapi.security and opinionated user frameworks. If you want ready-made /register//login routes and a user model, you want a different tool.
fastapi.security (native) |
fastapi-multiauth | fastapi-users | AuthX | Authlib | |
|---|---|---|---|---|---|
| Credential extraction + OpenAPI | ✅ | ✅ | ✅ | ✅ | ➖ |
| Bring-your-own validator | manual | ✅ | ❌ (own user model) | partial | manual |
| Multiple schemes on one route | manual | ✅ MultiAuth |
❌ | ❌ | ❌ |
| Signed cookie sessions (rotation, name-binding) | ❌ | ✅ | ✅ (own format) | ✅ (JWT in cookie) | ❌ |
| Opaque API tokens (prefixes, hash helpers) | ❌ | ✅ | ✅ (DB-backed) | ❌ | ❌ |
| JWT validation (HS + JWKS) | ❌ | ✅ JWTValidator |
✅ | ✅ | ✅ |
| JWT issuance / refresh | ❌ | ❌ | ✅ | ✅ | ✅ |
| Scope enforcement (fail-closed) | manual | ✅ | partial | ✅ | manual |
| OAuth login client helpers (PKCE, state) | ❌ | ✅ | ✅ (per-provider) | ❌ | ✅ (full client) |
| OAuth2/OIDC server | ❌ | ❌ | ❌ | ❌ | ✅ |
| User model, register/login/reset routes | ❌ | ❌ | ✅ | ❌ | ❌ |
| Database coupling | none | none | SQLAlchemy/Beanie | none | none |
| Maintenance status | active | active | maintenance mode | active | active |
When to pick what:
fastapi.securityalone: one scheme, simple validator, no sessions. The primitives are fine, this library just saves you the boilerplate around them.- fastapi-multiauth: you own the user store and just need request-time auth: bring your own validator, combine several schemes on one route with
MultiAuth, validate opaque tokens or JWTs, and get correct OpenAPI for free. No user model, no issued tokens, no database coupling. - fastapi-users: you want batteries included (user table, password reset, verified-email flow) and accept its user model. Note it is in maintenance mode.
- AuthX: your session model is "login issues a JWT pair, refresh endpoint rotates it". This library validates JWTs but will never issue them.
- Authlib: you are building an OAuth2/OIDC server, or need a full-featured OAuth client beyond the login flow.
Yes, every source accepts sync or async callables (including callable class instances) and awaits them correctly.
The OpenAPI specification only allows scope lists on oauth2/openIdConnect schemes; for http/apiKey schemes the array must be empty. Enforcement happens at runtime regardless; see Usage → Security scopes.
This project is licensed under the MIT License.