Cookbook¶
Complete, from-scratch recipes for a goal. Where the Guides document one feature at a time and assume the base setup, each recipe here builds a working setup end to end, so you can copy one and have the account shape you want.
-
The default shape: email/username login, password, verification, and reset, wired end to end.
-
No email anywhere: log in by username, no recovery, no verification. For throwaway or internal accounts.
-
Phone-first accounts: log in by username, verify and reset over SMS through your own delivery channel.
-
Add OAuth end to end: the button, the callback, account linking on verified email, and provisioning new users.
-
Both doors, one account: how a password signup and a Google sign-in link into the same user, safely.
-
For mobile, CLI, and SPA clients: JWT access tokens, refresh, and scopes, no cookies or CSRF.
-
Cookie sessions and bearer tokens together, both resolving to one Principal your routes gate on.
-
Tiers, org ids, derived names: who sets a column at signup, and why the server-set ones can't be forged.
-
Onboard an existing users table
Adopt CRUDAuth on a table you already have, mapping your column names instead of renaming your schema.
-
Redis-backed shared state, lifespan wiring, secrets from the environment, secure cookies, and the real client IP behind a proxy.
-
A settings page from opt-in routes: list devices, sign out one or all, change password, self-heal a lost CSRF cookie.
-
CRUDAuth as a toolbox: a hand-rolled login over
authenticate_password, tokens viaissue_tokens, the wired services offauth— routes optional.
Prerequisites: a FastAPI app and an async SQLAlchemy 2.0 session dependency. Each recipe shows everything else from scratch.