Python Reference

PropelAuth’s Python library provides all the building blocks you need to add authentication to any Python backend.

For most Python frameworks, like FastAPI, Django, and Flask, we have built out libraries specifically for them. Those libraries will provide a more first-class experience than this library.

Installation

pip install propelauth_py

init_base_auth performs a one-time initialization of the library. It will verify your api_key is correct and fetch the metadata needed to verify access tokens with validate_access_token_and_get_user.

In serverless environments, it's beneficial to skip the fetch, in which case you can pass in token_verification_metadata instead of having the library fetch it. You can find your verifier key and issuer URL in the Backend Integration page in your PropelAuth dashboard.

from propelauth_py import init_base_auth

auth = init_base_auth("YOUR_AUTH_URL", "YOUR_API_KEY")

Async Support

If you prefer to use asynchronous functions you can use init_base_async_auth instead of init_base_auth. When using init_base_async_auth, each backend API request will be async.

from propelauth_py import init_base_async_auth

auth = init_base_async_auth(
    "YOUR_AUTH_URL", 
    "YOUR_API_KEY",
    httpx_client=httpx.AsyncClient() # Optional. Only needed if you want to use a custom client
)

Protect API Routes

After initializing auth, you can verify access tokens by passing in the Authorization header (formatted Bearer TOKEN) to validate_access_token_and_get_user. You can see more information about the User object returned in User.

auth_header = # get authorization header in the form `Bearer {TOKEN}`
try:
   user = auth.validate_access_token_and_get_user(auth_header)
   print("Logged in as", user.user_id)
except UnauthorizedException:
   print("Invalid access token")

Verifying the access token doesn't require an external request.

Authorization / Organizations

You can also verify which organizations the user is in, and which roles and permissions they have in each organization all through the User object.

Check Org Membership

Verify that the request was made by a valid user and that the user is a member of the specified organization. This can be done using the User object.

auth_header = # get authorization header in the form `Bearer {TOKEN}`
org_id = # get org id from request
try:
    user = auth.validate_access_token_and_get_user(auth_header)
    org = user.get_org(org_id)
    if org is None:
        # return 403 error
    print(f"You are in org {org.org_id}")
except UnauthorizedException:
    print("Invalid access token")

Check Org Membership and Role

Similar to checking org membership, but will also verify that the user has a specific Role in the organization. This can be done using either the User or OrgMemberInfo objects.

A user has a Role within an organization. By default, the available roles are Owner, Admin, or Member, but these can be configured. These roles are also hierarchical, so Owner > Admin > Member.

## Assuming a Role structure of Owner => Admin => Member

auth_header = # get authorization header in the form `Bearer {TOKEN}`
org_id = # get org id from request
try:
    user = auth.validate_access_token_and_get_user(auth_header)
    org = user.get_org(org_id)
    if (org is None) or (org.user_is_role("Owner") == False):
        # return 403 error
    print(f"You are an Owner in org {org.org_id}")
except UnauthorizedException:
    print("Invalid access token")

Check Org Membership and Permission

Similar to checking org membership, but will also verify that the user has the specified permission in the organization. This can be done using either the User or OrgMemberInfo objects.

Permissions are arbitrary strings associated with a role. For example, can_view_billing, ProductA::CanCreate, and ReadOnly are all valid permissions. You can create these permissions in the PropelAuth dashboard.

auth_header = # get authorization header in the form `Bearer {TOKEN}`
org_id = # get org id from request
try:
    user = auth.validate_access_token_and_get_user(auth_header)
    org = user.get_org(org_id)
    if (org is None) or (org.user_has_permission("can_view_billing") == False):
        # return 403 error
    print(f"You can view billing information for org {org.org_id}")
except UnauthorizedException:
    print("Invalid access token")

User

The User object contains information about the user that made the request. It can be retrieved by using validate_access_token_and_get_user.

auth_header = # get authorization header in the form `Bearer {TOKEN}`
try:
   user = auth.validate_access_token_and_get_user(auth_header)
   print("Logged in as", user.user_id)
except UnauthorizedException:
   print("Invalid access token")

Name
user_id
Type
string
Description
The unique id of the user.
Name
org_id_to_org_member_info
Type
dict
Description
A dictionary mapping from organization id to OrgMemberInfo object.
Name
email
Type
string
Description
The email of the user.
Name
first_name
Type
string
Description
The first name of the user.
Name
last_name
Type
string
Description
The last name of the user.
Name
username
Type
string
Description
The username of the user.
Name
properties
Type
dict
Description
A dictionary of custom properties associated with the user.
Name
legacy_user_id
Type
string
Description
If the user was migrated using our Migration API, this will be the id of the user in the legacy system.
Name
impersonator_user_id
Type
string
Description
If the user is being impersonated, this is id of the user that impersonated them.
Name
active_org_id
Type
string | undefined
Description
Returns the ID of the Active Org, if the user has an Active Org set.
Name
login_method
Type
object
Description
The method the user used to log in. Returns the Login Method Property.
Name
is_impersonated()
Type
bool
Description
True if the user is being impersonated.
Name
get_active_org()
Type
dict
Description
Returns the OrgMemberInfo of the Active Org, if the user has an Active Org set.
Name
get_active_org_id()
Type
string
Description
Returns the ID of the Active Org, if the user has an Active Org set.
Name
get_org(org_id)
Type
dict
Description
Returns the org member info for the org_id, if the user is in the org.
Name
get_org_by_name(org_name)
Type
dict
Description
Returns the org member info for the org_name, if the user is in the org.
Name
get_user_property(property_name)
Description
Returns the user property value, if it exists.
Name
get_orgs()
Type
array
Description
Returns the orgs the user is in.
Name
is_role_in_org(org_id, role)
Type
bool
Description
Returns true if the user is the role in the org.
Name
is_at_least_role_in_org(org_id, role)
Type
bool
Description
Returns true if the user is at least the role in the org.
Name
has_permission_in_org(org_id, permission)
Type
bool
Description
Returns true if the user has the permission in the org.
Name
has_all_permissions_in_org(org_id, permissions)
Type
bool
Description
Returns true if the user has all the permissions in the org.

OrgMemberInfo

The OrgMemberInfo object contains information about the user's membership in an organization. It can be retrieved by first getting the User object and using either get_org(), get_active_org(), or get_orgs().

auth_header = # get authorization header in the form `Bearer {TOKEN}`
org_id = # get org id from request
try:
    user = auth.validate_access_token_and_get_user(auth_header)
    orgMemberInfo = user.get_org(org_id)
    print(f"You are in org {orgMemberInfo.org_id}")

Name
org_id
Type
string
Description
The unique id of the organization.
Name
org_name
Type
string
Description
The name of the organization.
Name
org_metadata
Type
object
Description
The metadata associated with the organization.
Name
user_assigned_role
Type
string
Description
The role of the user in the organization.
Name
user_inherited_roles_plus_current_role
Type
list[string]
Description
The role of the user within this organization plus each inherited role.
Name
user_permissions
Type
list[string]
Description
A list of permissions the user has in the organization, based on their role.
Name
url_safe_org_name
Type
string
Description
A URL-safe version of the org_name property.
Name
user_is_role
Type
fn(role: string) -> bool
Description
A function that returns true if the user has the specified role in the organization.
Name
user_is_at_least_role
Type
fn(role: string) -> bool
Description
A function that returns true if the user has at least the specified role in the organization.
Name
user_has_permission
Type
fn(permission: string) -> bool
Description
A function that returns true if the user has the specified permission in the organization.
Name
user_has_all_permissions
Type
fn(permissions: list[string]) -> bool
Description
A function that returns true if the user has all of the specified permissions in the organization.
Name
org_role_structure
Type
string
Description
The role structure set for your project. See multi roles per user for more information.
Name
assigned_additional_roles
Type
list[string]
Description
If using multiple roles per user, returns an array of roles that the user belongs to. Excludes the `user_assigned_role`.
Name
legacy_org_id
Type
string
Description
If the org was migrated from another system, this will be the ID of the org in the legacy system.

Calling Backend APIs

You can also use the library to call the PropelAuth APIs directly, allowing you to fetch users, create orgs, and a lot more. See the API Reference for more information.

from propelauth_py import init_base_auth

auth = init_base_auth("YOUR_AUTH_URL", "YOUR_API_KEY")

magic_link = auth.create_magic_link(email="test@example.com")