Logo

FastAPI Reference

Installation

pip install propelauth_fastapi

Initialize

init_auth performs a one-time initialization of the library. It will verify your api_key is correct and fetch the metadata needed to verify access tokens in require_user or optional_user.

In serverless environments, it's beneficial to skip the fetch, in which case you can pass in token_verification_metadata instead of having the library fetch it. You can find your verifier key and issuer URL in the Backend Integration page in your PropelAuth dashboard.

from propelauth_fastapi import init_auth

auth = init_auth("YOUR_AUTH_URL", "YOUR_API_KEY")

Async Support

If you prefer to use asynchronous functions you can use init_auth_async instead of init_auth. When using init_auth_async, each backend API request will be async.

from propelauth_fastapi import init_auth_async

auth = init_auth_async(
    "YOUR_AUTH_URL", 
    "YOUR_API_KEY",
    httpx_client=httpx.AsyncClient() # Optional. Only needed if you want to use a custom client
)

Protect API Routes

Protecting an API route is as simple as adding a dependency to your route.

None of the dependencies make a external request to PropelAuth. They all are verified locally using the access token provided in the request, making it very fast.

require_user

A dependency that will verify the request was made by a valid user. If a valid access token is provided, it will return a User object. If not, the request is rejected with a 401 status code.

from fastapi import FastAPI, Depends
from propelauth_fastapi import init_auth, User

app = FastAPI()
auth = init_auth("AUTH_URL", "API_KEY")

@app.get("/")
async def root(current_user: User = Depends(auth.require_user)):
    return {"message": f"Hello {current_user.user_id}"}

optional_user

Similar to require_user, but will return None if no valid access token is provided.

from typing import Optional

from fastapi import FastAPI, Depends
from propelauth_fastapi import init_auth, User

app = FastAPI()
auth = init_auth("AUTH_URL", "API_KEY")

@app.get("/api/whoami_optional")
async def whoami_optional(current_user: Optional[User] = Depends(auth.optional_user)):
    if current_user:
        return {"user_id": current_user.user_id}
    return {}

Authorization / Organizations

You can also verify which organizations the user is in, and which roles and permissions they have in each organization all through the User or OrgMemberInfo objects.

Check Org Membership

Verify that the request was made by a valid user and that the user is a member of the specified organization. This can be done using the User object.

@app.get("/api/org/{org_id}")
async def org_membership(org_id: str, current_user: User = Depends(auth.require_user)):
    org = current_user.get_org(org_id)
    if org == None:
        raise HTTPException(status_code=403, detail="Forbidden")
    return f"You are in org {org.org_name}"

Check Org Membership and Role

Similar to checking org membership, but will also verify that the user has a specific Role in the organization. This can be done using either the User or OrgMemberInfo objects.

A user has a Role within an organization. By default, the available roles are Owner, Admin, or Member, but these can be configured. These roles are also hierarchical, so Owner > Admin > Member.

## Assuming a Role structure of Owner => Admin => Member

@app.get("/api/org/{org_id}")
def org_owner(org_id: str, current_user: User = Depends(auth.require_user)):
    org = current_user.get_org(org_id)
    if (org == None) or (org.user_is_role("Owner") == False):
        raise HTTPException(status_code=403, detail="Forbidden")
    return f"You are an Owner in org {org.org_name}"

Check Org Membership and Permission

Similar to checking org membership, but will also verify that the user has the specified permission in the organization. This can be done using either the User or OrgMemberInfo objects.

Permissions are arbitrary strings associated with a role. For example, can_view_billing, ProductA::CanCreate, and ReadOnly are all valid permissions. You can create these permissions in the PropelAuth dashboard.

@app.get("/api/org/{org_id}")
def org_billing(org_id: str, current_user: User = Depends(auth.require_user)):
    org = current_user.get_org(org_id)
    if (org == None) or (org.user_has_permission("can_view_billing") == False):
        raise HTTPException(status_code=403, detail="Forbidden")
    return Response(f"You can view billing information for org {org.org_name}")

User

The User object contains information about the user that made the request.

  • Name
    user_id
    Type
    string
    Description
    The unique id of the user.
  • Name
    org_id_to_org_member_info
    Type
    dict
    Description
    A dictionary mapping from organization id to OrgMemberInfo object.
  • Name
    email
    Type
    string
    Description
    The email of the user.
  • Name
    first_name
    Type
    string
    Description
    The first name of the user.
  • Name
    last_name
    Type
    string
    Description
    The last name of the user.
  • Name
    username
    Type
    string
    Description
    The username of the user.
  • Name
    properties
    Type
    dict
    Description
    A dictionary of custom properties associated with the user.
  • Name
    legacy_user_id
    Type
    string
    Description
    If the user was migrated using our Migration API, this will be the id of the user in the legacy system.
  • Name
    impersonator_user_id
    Type
    string
    Description
    If the user is being impersonated, this is id of the user that impersonated them.
  • Name
    active_org_id
    Type
    string | undefined
    Description
    Returns the ID of the Active Org, if the user has an Active Org set.
  • Name
    login_method
    Type
    object
    Description
    The method the user used to log in. Returns the Login Method Property.
  • Name
    is_impersonated()
    Type
    bool
    Description
    True if the user is being impersonated.
  • Name
    get_active_org()
    Type
    dict
    Description
    Returns the OrgMemberInfo of the Active Org, if the user has an Active Org set.
  • Name
    get_active_org_id()
    Type
    string
    Description
    Returns the ID of the Active Org, if the user has an Active Org set.
  • Name
    get_org(org_id)
    Type
    dict
    Description
    Returns the org member info for the org_id, if the user is in the org.
  • Name
    get_org_by_name(org_name)
    Type
    dict
    Description
    Returns the org member info for the org_name, if the user is in the org.
  • Name
    get_user_property(property_name)
    Description
    Returns the user property value, if it exists.
  • Name
    get_orgs()
    Type
    array
    Description
    Returns the orgs the user is in.
  • Name
    is_role_in_org(org_id, role)
    Type
    bool
    Description
    Returns true if the user is the role in the org.
  • Name
    is_at_least_role_in_org(org_id, role)
    Type
    bool
    Description
    Returns true if the user is at least the role in the org.
  • Name
    has_permission_in_org(org_id, permission)
    Type
    bool
    Description
    Returns true if the user has the permission in the org.
  • Name
    has_all_permissions_in_org(org_id, permissions)
    Type
    bool
    Description
    Returns true if the user has all the permissions in the org.

OrgMemberInfo

The OrgMemberInfo object contains information about the user's membership in an organization.

  • Name
    org_id
    Type
    string
    Description
    The unique id of the organization.
  • Name
    org_name
    Type
    string
    Description
    The name of the organization.
  • Name
    org_metadata
    Type
    object
    Description
    The metadata associated with the organization.
  • Name
    user_assigned_role
    Type
    string
    Description
    The role of the user in the organization.
  • Name
    user_inherited_roles_plus_current_role
    Type
    list[string]
    Description
    The role of the user within this organization plus each inherited role.
  • Name
    user_permissions
    Type
    list[string]
    Description
    A list of permissions the user has in the organization, based on their role.
  • Name
    url_safe_org_name
    Type
    string
    Description
    A URL-safe version of the org_name property.
  • Name
    user_is_role
    Type
    fn(role: string) -> bool
    Description
    A function that returns true if the user has the specified role in the organization.
  • Name
    user_is_at_least_role
    Type
    fn(role: string) -> bool
    Description
    A function that returns true if the user has at least the specified role in the organization.
  • Name
    user_has_permission
    Type
    fn(permission: string) -> bool
    Description
    A function that returns true if the user has the specified permission in the organization.
  • Name
    user_has_all_permissions
    Type
    fn(permissions: list[string]) -> bool
    Description
    A function that returns true if the user has all of the specified permissions in the organization.
  • Name
    org_role_structure
    Type
    string
    Description
    The role structure set for your project. See multi roles per user for more information.
  • Name
    assigned_additional_roles
    Type
    list[string]
    Description
    If using multiple roles per user, returns an array of roles that the user belongs to. Excludes the `user_assigned_role`.
  • Name
    legacy_org_id
    Type
    string
    Description
    If the org was migrated from another system, this will be the ID of the org in the legacy system.

Usage with API Docs

FastAPIs built in documentation will automatically add this button when you are using either require_user or optional_user.

authorize button

You can obtain the access token via the Create Access Token API.

Calling Backend APIs

You can also use the library to call the PropelAuth APIs directly, allowing you to fetch users, create orgs, and a lot more. See the API Reference for more information.

from propelauth_fastapi import init_auth

auth = init_auth("YOUR_AUTH_URL", "YOUR_API_KEY")

magic_link = auth.create_magic_link(email="test@example.com")