Configuration
AuraAuthConfig fields passed through AuraAuth(database_url=..., secret=..., **kwargs).
AuraAuth(database_url=..., secret=..., **kwargs) merges supported keys onto AuraAuthConfig (aura_auth._core.config).
Routing
| Field | Default | Purpose |
|---|---|---|
route_prefix | "/auth" | Prefix for routes returned by auth.router. |
| — | — | Use auth.raw_router to mount with your own prefix. |
Sessions
| Field | Default | Purpose |
|---|---|---|
session_lifetime_seconds | 604800 (7 days) | Session row expiry; cookie max-age when using cookies. |
verify_token_lifetime_seconds | 86400 | Verification rows (e.g. email verify). |
Cookies
When cookie_transport is True, register/login call set_token on the response (HTTP-only cookie by default).
| Field | Default | Purpose |
|---|---|---|
cookie_transport | False | Use cookie instead of Bearer for get_token / set_token. |
cookie_name | "aura_token" | Cookie name. |
cookie_secure | True | Secure flag. Use False for http:// local dev. |
cookie_httponly | True | HTTP-only. |
cookie_samesite | "lax" | lax, strict, or none. |
With cookie_transport=True, the client must send the cookie; the Authorization header is not read by the default transport.
Passwords
| Field | Default |
|---|---|
password_min_length | 8 |
Models (SQLAlchemy)
Optional overrides passed to the backend:
user_modelaccount_modelsession_modelverification_model
If omitted, the built-in Default* models from aura_auth.models.sqlalchemy are used.
Advanced
| Field | Purpose |
|---|---|
engine | Inject a pre-built async SQLAlchemy engine (common in tests). |
The secret field is required on the public constructor today (reserved for signing and future JWT-oriented features).