I've developed a small library called casbin-fastapi-decorator that provides a clean, decorator-based approach for integrating Casbin authorization into FastAPI projects.
The library was originally based on patterns developed during production use and has since been generalized to fit a wide range of FastAPI architectures. It supports pluggable user providers, enforcer providers, and error factories — making it adaptable without modifying the core integration code.
Links:
Core usage
1. Define your guard once:
# authz.py
from casbin import Enforcer
from fastapi import HTTPException
from casbin_fastapi_decorator import PermissionGuard
guard = PermissionGuard(
user_provider=get_current_user, # any FastAPI dependency
enforcer_provider=lambda: Enforcer("model.conf", "policy.csv"),
error_factory=lambda *_: HTTPException(403, "Forbidden"),
)2. Protect routes with decorators:
@app.get("/articles")
@guard.require_permission(Resource.POST, Permission.READ)
async def list_posts() -> list[PostSchema]:
...
@app.get("/me")
@guard.auth_required()
async def me(user: Annotated[UserSchema, Depends(get_current_user)]) -> UserSchema:
...
Available integrations
The ecosystem currently includes three packages:
| Package |
Description |
casbin-fastapi-decorator |
Core library — PermissionGuard with pluggable providers |
casbin-fastapi-decorator-jwt |
JWTUserProvider — decodes JWT and maps claims to a user model |
casbin-fastapi-decorator-db |
DatabaseEnforcerProvider — loads policies from a SQLAlchemy model on each request |
JWT example:
from casbin_fastapi_decorator_jwt import JWTUserProvider
user_provider = JWTUserProvider(
secret_key="secret",
algorithm="HS256",
user_model=UserSchema,
)
guard = PermissionGuard(
user_provider=user_provider,
enforcer_provider=get_enforcer,
error_factory=lambda *_: HTTPException(403, "Forbidden"),
)Database-backed policies (SQLAlchemy):
from casbin_fastapi_decorator_db import DatabaseEnforcerProvider
enforcer_provider = DatabaseEnforcerProvider(
model_path="casbin/model.conf",
session_factory=async_session,
policy_model=Policy,
policy_mapper=lambda p: (p.sub, p.obj, p.act),
)
Working examples
The repository includes three ready-to-run examples:
examples/core — minimal setup with file-based policies and Bearer token authexamples/core-jwt — JWT authentication via JWTUserProviderexamples/core-db — DB-backed policies via DatabaseEnforcerProvider (SQLAlchemy + aiosqlite)
I'd like to propose adding this to the official documentation as a community integration option for FastAPI users. Happy to provide any additional context if needed.
I've developed a small library called casbin-fastapi-decorator that provides a clean, decorator-based approach for integrating Casbin authorization into FastAPI projects.
The library was originally based on patterns developed during production use and has since been generalized to fit a wide range of FastAPI architectures. It supports pluggable user providers, enforcer providers, and error factories — making it adaptable without modifying the core integration code.
Links:
Core usage
1. Define your guard once:
2. Protect routes with decorators:
Available integrations
The ecosystem currently includes three packages:
casbin-fastapi-decoratorPermissionGuardwith pluggable providerscasbin-fastapi-decorator-jwtJWTUserProvider— decodes JWT and maps claims to a user modelcasbin-fastapi-decorator-dbDatabaseEnforcerProvider— loads policies from a SQLAlchemy model on each requestJWT example:
Database-backed policies (SQLAlchemy):
Working examples
The repository includes three ready-to-run examples:
examples/core— minimal setup with file-based policies and Bearer token authexamples/core-jwt— JWT authentication viaJWTUserProviderexamples/core-db— DB-backed policies viaDatabaseEnforcerProvider(SQLAlchemy + aiosqlite)I'd like to propose adding this to the official documentation as a community integration option for FastAPI users. Happy to provide any additional context if needed.