Labsco
auth0 logo

auth0-fastapi-api

37

by auth0 · part of auth0/agent-skills

Use when securing FastAPI API endpoints with JWT Bearer token validation, scope/permission checks, or stateless auth - integrates auth0-fastapi-api for REST…

🔥🔥🔥🔥✓ VerifiedFreeQuick setup
🧩 One of 7 skills in the auth0/agent-skills package — works on its own, and pairs well with its siblings.

Use when securing FastAPI API endpoints with JWT Bearer token validation, scope/permission checks, or stateless auth - integrates auth0-fastapi-api for REST…

Inspect the full instructions your agent will receiveExpand

This is the exact playbook injected into your agent when the skill activates — shown here so you can audit it before installing. You don't need to read it to use the skill.

by auth0

Use when securing FastAPI API endpoints with JWT Bearer token validation, scope/permission checks, or stateless auth - integrates auth0-fastapi-api for REST… npx skills add https://github.com/auth0/agent-skills --skill auth0-fastapi-api Download ZIPGitHub37

Auth0 FastAPI API Integration

Protect FastAPI API endpoints with JWT access token validation using auth0-fastapi-api.

Note: This SDK is currently in beta. The API surface may change before the stable 1.0 release. Check PyPI for the latest version. Requires Python >= 3.9 and FastAPI >= 0.115.11.

When NOT to Use

  • Server-rendered web applications — Use a session-based login/logout flow instead

  • Single Page Applications — Use auth0-react, auth0-vue, or auth0-angular for client-side auth

  • Mobile applications — Use auth0-react-native or auth0-android

  • Issuing tokens — This skill is for validating access tokens, not issuing them

DPoP Support

Built-in proof-of-possession token binding per RFC 9449. DPoP is enabled by default in mixed mode (accepts both Bearer and DPoP tokens). See Integration Guide for configuration.

Related Skills

  • auth0-quickstart - Basic Auth0 setup and framework detection

  • auth0-mfa - Add Multi-Factor Authentication

  • auth0-cli - Manage Auth0 resources from the terminal

Quick Reference

Auth0FastAPI configuration:

Copy & paste — that's it
auth0 = Auth0FastAPI(
 domain=os.getenv("AUTH0_DOMAIN"), # required (or use domains)
 audience=os.getenv("AUTH0_AUDIENCE"), # required
 dpop_enabled=True, # default; set False for Bearer-only
 dpop_required=False, # default; set True to reject Bearer tokens
)

Route protection:

Copy & paste — that's it
Depends(auth0.require_auth()) # any valid token
Depends(auth0.require_auth(scopes="read:res")) # single scope
Depends(auth0.require_auth(scopes=["r", "w"])) # all scopes required

Accessing claims:

Copy & paste — that's it
claims["sub"] # user/client ID
claims["scope"] # space-separated scopes

Environment variables:

  • AUTH0_DOMAIN — your Auth0 tenant domain (e.g. tenant.us.auth0.com)

  • AUTH0_AUDIENCE — your API identifier (e.g. https://api.example.com)

Common Use Cases:

  • Protect routes → Depends(auth0.require_auth()) (see Step 5)

  • Scope enforcement → Depends(auth0.require_auth(scopes="...")) (see Step 6)

  • DPoP token binding → Integration Guide

  • Reverse proxy setup → Integration Guide

  • Advanced configuration → API Reference

Detailed Documentation

  • Setup Guide — Auth0 CLI setup, environment configuration, getting test tokens

  • Integration Guide — DPoP, scopes, error handling, reverse proxy, testing

  • API Reference — Complete constructor options, method signatures, error codes

References