Backend Authentication

Complete authentication system documentation.

Authentication Methods

JWT Bearer Tokens

• OAuth2 password flow
• Refresh token rotation
• Token expiration and renewal

API Keys

• Scope-based access control
• Rate limiting per key
• Key rotation and revocation

OAuth2 Providers

• Google OAuth
• GitHub OAuth
• Custom SAML (enterprise)

JWT Implementation

# Token creation
def create_access_token(user_id: UUID) -> str:
    payload = {
        "sub": str(user_id),
        "iat": datetime.utcnow(),
        "exp": datetime.utcnow() + timedelta(minutes=60),
    }
    return jwt.encode(payload, SECRET_KEY, algorithm="HS256")

# Token verification
def verify_access_token(token: str) -> UUID:
    payload = jwt.decode(token, SECRET_KEY, algorithms=["HS256"])
    return UUID(payload["sub"])

API Key Management

# Generate new API key
key = secrets.token_urlsafe(32)
key_hash = bcrypt.hashpw(key.encode(), bcrypt.gensalt(12))

# Validate API key
def validate_api_key(key: str) -> bool:
    db_hash = get_key_from_db(key_prefix)
    return bcrypt.checkpw(key.encode(), db_hash)

Scopes

• read - Read assets and verification history
• write - Create and modify assets
• verify - Perform image verification
• admin - Organization administration

See API Reference for endpoint details.