Identity: authenticated subject, roles, and claims.Permission: action plus resource, with canonicalresource:actionnames.PermissionSet: collection of permission names.ResourceOwner: resource ownership metadata.OwnershipPolicy: ownership/admin access checks.Authenticator: converts credentials into an identity.Authorizer: checks whether an identity can perform an action.TokenIssuerandTokenVerifier: token boundary interfaces.JwtTokenService: PyJWT-backed HS256 JWT issuing and verification.JwtAuthenticator: authenticates bearer tokens with a JWT service.ApiKeyAuthenticator: small API-key authenticator for examples.Argon2idPasswordHasher: preferred password hasher; requirespython-core[auth].ScryptPasswordHasher: stdlib fallback when Argon2id is unavailable.OAuthClientConfig,OAuthAuthorizationUrlBuilder,OAuthTokenRequest, andOAuthToken: OAuth/OIDC helper models.OAuthStateStore: one-time state value storage for OAuth examples.
Authentication identifies the caller. Authorization decides what the caller may do. Keep those steps separate.
Use JwtTokenService through python-core[auth]. Keep secrets outside code,
set issuer and audience, and use short expirations.
Use the OAuth helpers to build authorization URLs and token request data. Keep provider-specific HTTP calls in adapters so services depend on interfaces.
Use ResourceOwner and OwnershipPolicy when access depends on whether the
caller owns a resource. Keep admin override roles explicit.
Prefer Argon2id for new projects. Use scrypt when Argon2id is unavailable. Legacy password KDFs are intentionally not implemented in this template.