Configuration¶
The plugin is driven by LitestarAuthConfig (import from litestar_auth or litestar_auth.plugin). The configuration reference is split by concern so each page stays focused.
Generated detail lives in the Plugin API (mkdocstrings).
ORM models and the SQLAlchemy adapter are imported from their own modules; the root package does not re-export them:
from litestar_auth import DatabaseTokenAuthConfig, LitestarAuth, LitestarAuthConfig
from litestar_auth.db.sqlalchemy import SQLAlchemyUserDatabase
from litestar_auth.models import User # or your own model
Configuration Pages¶
| Topic | Page |
|---|---|
| Database-token preset, API-key backend, backend lifecycle, auth paths, and built-in payloads | Backends |
User model contracts, bundled ORM mixins, token tables, roles, and SQLAlchemyUserDatabase |
User and manager |
| Role CLI, manager construction, plugin hooks, password helper, schemas, and secret contracts | Manager customization |
| Redis auth preset, shared rate limiting, replay stores, and Redis import boundaries | Redis |
| Deployment worker-count posture and production shared-store requirements | Deployment |
TotpConfig fields, TOTP route behavior, and TOTP step-up policy |
TOTP |
OAuthConfig, provider inventory, redirect policy, and token encryption |
OAuth |
| CSRF, legacy-token policy, dependency keys, and shared helpers | Security and DI |
| Operator-side proxy, cookie, and secrets-at-rest preconditions | Deployment security contract |
Moved Sections¶
These headings remain for old links and search results. Follow the target page for the maintained content.
Opaque DB-token preset¶
Moved to: Backends.
Backend lifecycle contract¶
Moved to: Backends.
Custom SQLAlchemy User and token models¶
Moved to: User and manager.
Plugin role CLI¶
Moved to: Manager customization.
Bundled AccessToken / RefreshToken lifecycle¶
Moved to: User and manager.
Optional relational role contract¶
Moved to: User and manager.
SQLAlchemyUserDatabase contract¶
Moved to: User and manager.
Custom password column names¶
Moved to: User and manager.
Required (at runtime)¶
Moved to: Manager customization.
Core wiring¶
Moved to: Manager customization.
User manager customization¶
Moved to: Manager customization.
Plugin customization hooks¶
Moved to: Manager customization.
Manager password surface¶
Moved to: Manager customization (maintained).
Paths and HTTP feature flags¶
Moved to: Backends.
include_session_devices=True opt-in mounts authenticated refresh-session management routes under
auth_path: GET /sessions, POST /sessions, DELETE /sessions/{session_id}, and
POST /sessions/revoke-others. These routes require a backend strategy that implements the
refresh-session management protocol, such as the built-in DB token strategy; unsupported JWT or Redis
strategies fail with the structured SESSION_MANAGEMENT_UNSUPPORTED error code rather than
pretending a session dashboard is available.
Built-in auth payload boundary¶
Moved to: Backends.
Redis-backed auth surface¶
Moved to: Redis.
Deployment worker-count posture¶
Moved to: Deployment.
Shared-backend rate limiting¶
Moved to: Redis.
Low-level Redis builder path¶
Moved to: Redis.
Redis TOTP replay protection and pending-token deduplication¶
Moved to: Redis.
Redis contrib import boundary¶
Moved to: Redis.
TOTP — totp_config: TotpConfig | None¶
Moved to: TOTP.
TOTP step-up for sensitive operations¶
Moved to: TOTP.
OAuth — oauth_config: OAuthConfig | None¶
Moved to: OAuth.
Security and token policy¶
Moved to: Security and DI.
Schemas and DI¶
Moved to: Security and DI.
Dependency keys (constants)¶
Moved to: Security and DI.
Shared helpers — litestar_auth.config¶
Moved to: Security and DI.
Related¶
- HTTP API — routes controlled by the flags above.
- Security — production interpretation of sensitive flags.
- Plugin API — mkdocstrings for
LitestarAuth, configs, andlitestar_auth.config.