SDKsServerside SDKsPython

Tesseral for FastAPI

Add B2B auth support to your FastAPI app in just a few lines of code.

Tesseral’s FastAPI SDK lets you add authentication to your Python backend using FastAPI.

The Tesseral FastAPI SDK is open-source and available on GitHub.

Getting Started

Install the Tesseral FastAPI SDK by running:

$pip install tesseral-fastapi

Then, in your FastAPI application, add the RequireAuthMiddleware to your app:

1from fastapi import FastAPI
2from tesseral_fastapi import RequireAuthMiddleware
3
4app = FastAPI()
5
6app.add_middleware(
7    RequireAuthMiddleware,
8    publishable_key="publishable_key_...",
9)

Replace publishable_key_... with your project’s Publishable Key. You can find it in the API Keys Settings of the Tesseral Console.

Once you’ve added RequireAuthMiddleware, all HTTP requests to your server will automatically be authenticated. Inauthentic requests receive a 401 Unauthorized response before reaching your route handlers.

Accessing details about the authenticated request

The Tesseral SDK makes information about the current authenticated request available through the Auth object and dependency injection.

Getting the Auth object

To access authentication information in your route handlers, use the get_auth dependency:

1from fastapi import Depends
2from tesseral_fastapi import Auth, get_auth
3
4@app.get("/")
5async def read_root(auth: Auth = Depends(get_auth)):
6    # Now you can use auth to access authentication details
7    return {"organization_id": auth.organization_id()}

See FastAPI’s documentation on dependency injection and fastapi.Depends for more information on this FastAPI pattern.

Getting the current Organization

To find out what Organization the request is for, use organization_id():

1from fastapi import FastAPI, Depends
2from tesseral_fastapi import Auth, get_auth
3
4@app.get("/organizations/me")
5async def get_organization(auth: Auth = Depends(get_auth)):
6    org_id = auth.organization_id()  # returns a string like "org_..."
7    return {"organization_id": org_id}

This is the most common identifier you’ll use in a B2B multitenant application.

Getting the request’s authenticated credentials

If your architecture forwards requests between internal services that need to re-authenticate, use credentials():

1from fastapi import FastAPI, Depends
2from tesseral_fastapi import Auth, get_auth
3
4@app.get("/credentials")
5async def get_credentials(auth: Auth = Depends(get_auth)):
6    creds = auth.credentials()
7    # Do not log or expose this value
8    # Use it only for internal service-to-service calls
9    return {"message": "Credentials retrieved"}

Do not log or expose this value. You usually don’t need to use this unless you’re building internal service-to-service calls.

Getting details about the current User

To access more information about the authenticated User, use access_token_claims():

1from fastapi import FastAPI, Depends
2from tesseral_fastapi import Auth, get_auth, NotAnAccessTokenError
3
4@app.get("/user")
5async def get_user(auth: Auth = Depends(get_auth)):
6    try:
7        claims = auth.access_token_claims()
8        return {"user_email": claims.user.email}
9    except NotAnAccessTokenError:
10        return {"message": "Request authenticated with API key, not access token"}

access_token_claims returns an AccessTokenClaims, which contains details about the current Session ID, User, and Organization.

If the request is from an API Key, then access_token_claims will throw a NotAnAccessTokenError.

We recommend that you mostly use organization_id() in the vast majority of your code; that is almost always the correct piece of information for most B2B SaaS code should pay attention to. For more details, see B2B Multitenancy.