Python SDK (auris-sdk)
auris-sdk is the official Python client library for Auris IAM. It provides a clean, synchronous API for authentication, user management, and fine-grained authorization.
Python version: 3.8+
Dependencies: httpx
Installation
pip install auris-sdkAurisClient
AurisClient is the main entry point for end-user authentication flows.
Quick Start
from auris import AurisClient
client = AurisClient("https://auth.yourdomain.com", "your-client-id")
result = client.login("[email protected]", "password")
print(f"Logged in as {result.user.email}")
print(f"Access token: {result.access_token}")login / logout
result = client.login("[email protected]", "password")
# result.access_token str
# result.refresh_token str
# result.user UserInfo
client.logout()get_user
Returns the currently authenticated user. Returns None if not authenticated.
user = client.get_user()
if user:
print(user.id, user.email, user.roles)get_access_token
token = client.get_access_token()
# Use in Authorization: Bearer <token> headersrefresh_token
result = client.refresh_token()get_m2m_token
Obtains a machine-to-machine access token via the OAuth2 client_credentials grant. Never call from browser or client-side code.
m2m = client.get_m2m_token("client-secret", scopes=["read:users", "manage:roles"])
# m2m.access_token str
# m2m.expires_in intlogin_with_magic_link / verify_magic_link
# Send a magic link email
client.login_with_magic_link("[email protected]")
# Verify the token extracted from the link URL
result = client.verify_magic_link("token-from-url")ManagementClient
ManagementClient is for server-side tenant management using M2M credentials.
Only use ManagementClient in server-side code. The client secret must never be exposed to browsers or end users.
from auris import ManagementClient
mgmt = ManagementClient(
"https://auth.yourdomain.com",
"your-client-id",
"your-client-secret",
)Users
# List users
users = mgmt.list_users()
# Get a single user
user = mgmt.get_user("user-id")
# Create a user
user = mgmt.create_user(email="[email protected]", name="New User")
# Delete a user
mgmt.delete_user("user-id")
# Assign roles
mgmt.assign_roles("user-id", ["role-id-1", "role-id-2"])
# Remove roles
mgmt.remove_roles("user-id", ["role-id-1"])Organizations
# List organizations
orgs = mgmt.list_organizations()
# Get an organization
org = mgmt.get_organization("org-id")
# Create an organization
org = mgmt.create_organization(name="Acme Corp")
# Delete an organization
mgmt.delete_organization("org-id")
# List members
members = mgmt.list_members("org-id")
# Add a member
mgmt.add_member("org-id", "user-id", "member")
# Remove a member
mgmt.remove_member("org-id", "user-id")Roles
roles = mgmt.list_roles()FgaClient
FgaClient implements Zanzibar-style fine-grained authorization. Requires the FGA feature to be enabled on your tenant.
from auris import FgaClient
fga = FgaClient(
"https://auth.yourdomain.com",
"your-client-id",
"your-client-secret",
)check_permission
allowed = fga.check_permission("user:alice", "read", "document:budget")
print("Allowed:", allowed)check_permissions
results = fga.check_permissions([
{"user": "user:alice", "relation": "read", "object": "document:budget"},
{"user": "user:alice", "relation": "write", "object": "document:budget"},
])
# results: list[dict] with "allowed" bool per checktuple_write
fga.tuple_write([
{"user": "user:bob", "relation": "viewer", "object": "document:report"},
])Webhook Verification
from auris import verify_webhook_signature
# Django view example
def webhook_view(request):
payload = request.body
signature = request.headers.get("X-Auris-Signature", "")
if not verify_webhook_signature(payload, signature, "your-webhook-secret"):
from django.http import HttpResponse
return HttpResponse(status=401)
# Process webhook event...
# Flask example
from flask import Flask, request, abort
app = Flask(__name__)
@app.route("/webhooks/auris", methods=["POST"])
def webhook():
if not verify_webhook_signature(
request.data,
request.headers.get("X-Auris-Signature", ""),
"your-webhook-secret",
):
abort(401)
# Process webhook event...
return "", 200Error Handling
All methods raise AurisError on failure.
from auris import AurisClient, AurisError
client = AurisClient("https://auth.yourdomain.com", "your-client-id")
try:
result = client.login("[email protected]", "wrong-password")
except AurisError as e:
print(f"HTTP {e.status_code}: {e}")Common error codes:
| Code | Status | Description |
|---|---|---|
invalid_credentials | 401 | Wrong email or password |
invalid_token | 401 | Token is expired or malformed |
permission_denied | 403 | User lacks the required permission |
not_found | 404 | Resource does not exist |
rate_limited | 429 | Too many requests |
Related Pages
- JavaScript SDK — Browser, Node.js, and edge runtimes
- Go SDK — Idiomatic Go bindings
- Rust SDK — Async/await with tokio
- Fine-Grained Authorization — FGA model and tuple management
- Webhooks — Webhook delivery and HMAC verification