v0.1.0
pico-auth v0.1.0
Initial release — Minimal JWT auth server for the pico ecosystem.
Features
- RS256 JWT tokens with auto-generated RSA key pairs (stored in
~/.pico-auth/) - Refresh token rotation with SHA-256 hashed storage
- RBAC with four built-in roles:
superadmin,org_admin,operator,viewer - OIDC discovery endpoints (
.well-known/openid-configuration, JWKS) - Bcrypt password hashing (72-byte input limit enforced)
- Zero-config startup with auto-created admin user
- pico-client-auth integration — endpoints protected via middleware with
@allow_anonymous,@requires_role, andSecurityContext - LocalJWKSProvider — reads public keys directly from
JWTProvider(no HTTP self-call)
API Endpoints
| Method | Path | Auth | Description |
|---|---|---|---|
| POST | /api/v1/auth/register |
No | Register a new user |
| POST | /api/v1/auth/login |
No | Login and get tokens |
| POST | /api/v1/auth/refresh |
No | Refresh access token |
| GET | /api/v1/auth/me |
Bearer | Get current user profile |
| POST | /api/v1/auth/me/password |
Bearer | Change password |
| GET | /api/v1/auth/users |
Admin | List all users |
| PUT | /api/v1/auth/users/{id}/role |
Admin | Update user role |
| GET | /api/v1/auth/jwks |
No | JSON Web Key Set |
| GET | /.well-known/openid-configuration |
No | OIDC discovery |
Error Responses
- Auth/authz errors: HTTP 401/403 with
{"detail": "..."}(via pico-client-auth middleware) - Business logic errors: HTTP 200 with
{"error": "..."}(duplicate email, wrong password, invalid role)
Dependencies
- pico-ioc >= 2.1.0
- pico-boot >= 0.1.0
- pico-fastapi >= 0.1.0
- pico-sqlalchemy >= 0.1.0
- pico-client-auth >= 0.1.0
- python-jose[cryptography] >= 3.3
- bcrypt >= 4.0
Compatibility
- Python 3.11, 3.12, 3.13, 3.14