Metadata-Version: 2.4
Name: paskia
Version: 0.7.2
Summary: Passkey Auth made easy: all sites and APIs can be guarded even without any changes on the protected site.
Project-URL: Homepage, https://git.zi.fi/LeoVasanko/paskia
Project-URL: Repository, https://github.com/LeoVasanko/paskia
Author: Leo Vasanko
Keywords: FastAPI,auth_request,forward_auth
Requires-Python: >=3.10
Requires-Dist: aiosqlite>=0.19.0
Requires-Dist: base64url>=1.0.0
Requires-Dist: fastapi[standard]>=0.104.1
Requires-Dist: pyjwt>=2.8.0
Requires-Dist: sqlalchemy[asyncio]>=2.0.0
Requires-Dist: user-agents>=2.2.0
Requires-Dist: uuid7-standard>=1.0.0
Requires-Dist: webauthn>=1.11.1
Requires-Dist: websockets>=12.0
Provides-Extra: dev
Requires-Dist: coverage[toml]>=7.0.0; extra == 'dev'
Requires-Dist: httpx>=0.27.0; extra == 'dev'
Requires-Dist: pytest-asyncio>=0.24.0; extra == 'dev'
Requires-Dist: pytest>=8.0.0; extra == 'dev'
Requires-Dist: ruff>=0.1.0; extra == 'dev'
Description-Content-Type: text/markdown

# Paskia

An easy to install passkey-based authentication service that protects any web application with strong passwordless login.

## What is Paskia?

- Easy to use fully featured auth&auth system (login and permissions)
- Organization and role-based access control (optional)
   * Org admins control their users and roles
   * Master admin can create multiple independent orgs
   * Master admin makes permissions available for orgs to assign
- User Profile and Administration by API and web interface.
under `/auth/` or `auth.example.com`
- Reset tokens and additional device linking via QR code or codewords.
- Pure Python, FastAPI, packaged with prebuilt Vue frontend

Two interfaces:
- API fetch: auth checks and login without leaving your app
- Forward-auth proxy: protect any unprotected site or service (Caddy, Nginx)

The API mode is useful for applications that can be customized to run with Paskia. Forward auth can also protect your javascript and other assets. Each provides fine-grained permission control and reauthentication requests where needed, and both can be mixed where needed.

Single Sign-On (SSO): Users register once and authenticate across all applications under your domain name (configured rp-id).

## Quick Start

Install [UV](https://docs.astral.sh/uv/getting-started/installation/) and run:

```fish
uvx paskia serve --rp-id example.com
```

On the first run it downloads the software and prints a registration link for the Admin. If you are going to be connecting `localhost` directly, for testing, leave out the rp-id.

The server will start up on [localhost:4401](http://localhost:4401) "for authentication required", serving for `*.example.com`.

Otherwise you will need a web server such as [Caddy](https://caddyserver.com/) to serve HTTPS on your actual domain names and proxy requests to Paskia and your backend apps.

A quick example without any config file:
```fish
sudo caddy reverse-proxy --from example.com --to :4401
```

For a permanent install of `paskia` CLI command, not needing `uvx`:

```fish
uv tool install paskia
```

## Configuration

There is no config file. Pass only the options on CLI:

```text
paskia serve [options]
```

Optional options:

- Listen address (one of):
    * `[host]:port`: Address and port (default: `localhost:4401`)
    * `unix:/path.sock`: Unix socket
- `--rp-id <domain>`: Main domain (required for production)
- `--rp-name "<text>"`: Name of your company or site (default: same as rp-id)
- `--origin <url>`: Explicit single site (default: `https://<rp-id>`)
- `--auth-host <domain>`: Dedicated authentication site (e.g., `auth.example.com`)

## Documentation

- `API.md`: Complete HTTP and WebSocket API reference
- `Caddy.md`: Caddy configuration examples
- `Headers.md`: HTTP headers passed to protected applications
