Skip to Content
SDKsPython SDK (auris-sdk)

Python SDK (auris-sdk)

auris-sdk is the official Python client library for Auris IAM. It provides a clean, synchronous API for authentication, user management, and fine-grained authorization.

Python version: 3.8+
Dependencies: httpx


Installation

pip install auris-sdk

AurisClient

AurisClient is the main entry point for end-user authentication flows.

Quick Start

from auris import AurisClient client = AurisClient("https://auth.yourdomain.com", "your-client-id") result = client.login("[email protected]", "password") print(f"Logged in as {result.user.email}") print(f"Access token: {result.access_token}")

login / logout

result = client.login("[email protected]", "password") # result.access_token str # result.refresh_token str # result.user UserInfo client.logout()

get_user

Returns the currently authenticated user. Returns None if not authenticated.

user = client.get_user() if user: print(user.id, user.email, user.roles)

get_access_token

token = client.get_access_token() # Use in Authorization: Bearer <token> headers

refresh_token

result = client.refresh_token()

get_m2m_token

Obtains a machine-to-machine access token via the OAuth2 client_credentials grant. Never call from browser or client-side code.

m2m = client.get_m2m_token("client-secret", scopes=["read:users", "manage:roles"]) # m2m.access_token str # m2m.expires_in int
# Send a magic link email client.login_with_magic_link("[email protected]") # Verify the token extracted from the link URL result = client.verify_magic_link("token-from-url")

ManagementClient

ManagementClient is for server-side tenant management using M2M credentials.

Only use ManagementClient in server-side code. The client secret must never be exposed to browsers or end users.

from auris import ManagementClient mgmt = ManagementClient( "https://auth.yourdomain.com", "your-client-id", "your-client-secret", )

Users

# List users users = mgmt.list_users() # Get a single user user = mgmt.get_user("user-id") # Create a user user = mgmt.create_user(email="[email protected]", name="New User") # Delete a user mgmt.delete_user("user-id") # Assign roles mgmt.assign_roles("user-id", ["role-id-1", "role-id-2"]) # Remove roles mgmt.remove_roles("user-id", ["role-id-1"])

Organizations

# List organizations orgs = mgmt.list_organizations() # Get an organization org = mgmt.get_organization("org-id") # Create an organization org = mgmt.create_organization(name="Acme Corp") # Delete an organization mgmt.delete_organization("org-id") # List members members = mgmt.list_members("org-id") # Add a member mgmt.add_member("org-id", "user-id", "member") # Remove a member mgmt.remove_member("org-id", "user-id")

Roles

roles = mgmt.list_roles()

FgaClient

FgaClient implements Zanzibar-style fine-grained authorization. Requires the FGA feature to be enabled on your tenant.

from auris import FgaClient fga = FgaClient( "https://auth.yourdomain.com", "your-client-id", "your-client-secret", )

check_permission

allowed = fga.check_permission("user:alice", "read", "document:budget") print("Allowed:", allowed)

check_permissions

results = fga.check_permissions([ {"user": "user:alice", "relation": "read", "object": "document:budget"}, {"user": "user:alice", "relation": "write", "object": "document:budget"}, ]) # results: list[dict] with "allowed" bool per check

tuple_write

fga.tuple_write([ {"user": "user:bob", "relation": "viewer", "object": "document:report"}, ])

Webhook Verification

from auris import verify_webhook_signature # Django view example def webhook_view(request): payload = request.body signature = request.headers.get("X-Auris-Signature", "") if not verify_webhook_signature(payload, signature, "your-webhook-secret"): from django.http import HttpResponse return HttpResponse(status=401) # Process webhook event... # Flask example from flask import Flask, request, abort app = Flask(__name__) @app.route("/webhooks/auris", methods=["POST"]) def webhook(): if not verify_webhook_signature( request.data, request.headers.get("X-Auris-Signature", ""), "your-webhook-secret", ): abort(401) # Process webhook event... return "", 200

Error Handling

All methods raise AurisError on failure.

from auris import AurisClient, AurisError client = AurisClient("https://auth.yourdomain.com", "your-client-id") try: result = client.login("[email protected]", "wrong-password") except AurisError as e: print(f"HTTP {e.status_code}: {e}")

Common error codes:

CodeStatusDescription
invalid_credentials401Wrong email or password
invalid_token401Token is expired or malformed
permission_denied403User lacks the required permission
not_found404Resource does not exist
rate_limited429Too many requests