v0.5.3

What's fixed

default_role was silently ignored on signup. setting default_role in FastAuthConfig had no effect the role was never assigned to newly created users. This affected all three registration paths (oauth, register_email, and magic_links)

What's new

• FastAuth.initialize_roles() -> a lifespan startup method that seeds the roles defined in config.roles into the role adapter.
• No breaking changes. No migration needed. Add await auth.initialize_roles() to your lifespan if you use config.roles or config.default_role.

Full Changelog: v0.5.2...v0.5.3

v0.5.2

Fixed

JWKS route (.well-known/jwks.json) was never registered when initialize_jwks() is called inside the FastAPI lifespan handler FastAuth.mount() now checks config.jwt.jwks_enabled (static config) instead of self.jwks_manager (runtime state), which was always None at mount time"

Full Changelog: v0.5.1...v0.5.2

V0.5.1 - OAuth Account Linking & OpenAPI Error Schemas

What's Changed

OAuth Account Linking

Authenticated users can now connect additional OAuth providers to their existing account without
signing out and back in.

New endpoints:

• GET /auth/oauth/{provider}/link?redirect_uri=... — requires a valid Bearer token; returns the
  provider authorization URL with a link-scoped PKCE state
• GET /auth/oauth/{provider}/link/callback?code=...&state=... — public; exchanges the code,
  writes the OAuthAccount record, fires the on_oauth_link hook, and returns {"message": "<Provider> account linked successfully"}

Behaviour:

• Attempting to link a provider account that is already linked to any user returns 400
• State is flow-scoped ("flow": "link") so link callbacks cannot be confused with sign-in
  callbacks
• Full PKCE (S256) used for the link flow, matching the existing sign-in flow

New core functions in fastauth.core.oauth:

• initiate_link_flow(provider, redirect_uri, state_store, user_id)
• link_oauth_account(provider, code, state, redirect_uri, state_store, user_adapter, oauth_adapter)

OpenAPI Error Schemas

All routers now declare structured error responses so type-checker users, SDK generators, and API
explorers see documented {"detail": "..."} shapes — no behaviour change to existing endpoints.

New model: fastauth.api.schemas.ErrorDetail

Router	Documented codes
create_auth_router	400, 401, 409 on /register
create_oauth_router	400, 401, 403, 404, 409 on /{provider}/link
create_magic_links_router	401, 403, 501
create_passkeys_router	400, 401, 403, 404, 501

---

Full changelog:
v0.5.0...v0.5.1

v0.5.0 - Magic Keys

What's new

Magic Links

Passwordless sign-in via a one-time link sent to the user's email. Unknown emails are
auto-registered on first use. Tokens are single-use with a 15-minute TTL.

Custom email templates

Override any built-in email template by pointing email_template_dir at a directory. Only the
files you provide are replaced — everything else falls back to the defaults.

Examples

• examples/magic_link/ -> magic link app with SQLite + SMTP
• examples/custom_templates/ -> branded dark-theme email templates

Docs

• Magic Links: feature reference, provider reference, and guide added to the docs site

Full Changelog: v0.4.0...v0.5.0

v0.4.0 - Passkeys (WebAuthn)

What's new

FastAuth now supports passwordless authentication via Touch ID, Face ID, Windows Hello, and hardware security keys.

Passkeys (WebAuthn)

Install:

pip install "sreekarnv-fastauth[standard,webauthn]"

Six endpoints are mounted automatically under /auth/passkeys/ -> register/begin, register/complete, list, delete, authenticate/begin, authenticate/complete.

Credentials are registered with residentKey: preferred so Windows Hello and Touch ID show up in the sign-in dialog without the user entering an email first.

New SQLAlchemyPasskeyAdapter stores credentials in the fastauth_passkeys table. If you use SQLAlchemyAdapter, run await adapter.create_tables() on startup to pick up the new table.

Event hooks: on_passkey_registered and on_passkey_deleted.

See the docs: https://sreekarnv.github.io/fastauth/features/passkeys/
See the example: examples/passkeys/

Bug fix

MemoryUserAdapter.update_user no longer leaves a stale entry in the email index when the email field is changed.

Upgrading

No breaking changes. Passkeys are opt-in — set passkey_adapter and passkey_state_store in FastAuthConfig to activate them.

Full Changelog: v0.3.1...v0.4.0

Release - v0.3.1

Changed

• Fixed issues within the /auth/account/confirm-email-change route
• /auth/account/confirm-email-change route is not a GET route instead of POST

Full Changelog: v0.3.0...v0.3.1

Release v0.3.0 - Major Rewrite

Major Release

• Modular Design: Protocols for providers/adapters/backends (extend w/o forking)
• Auth Providers: Credentials (argon2), Google/GitHub OAuth (PKCE)
• Persistence: SQLAlchemy (users/sessions/tokens/OAuthAccounts/roles) + Memory
• Sessions: JWT (HS256/RS256) or Database (Redis/Memory/DB backends)
• RBAC: Roles/permissions w/ require_role("admin"), require_permission("users:delete")
• Email: Console/SMTP/Webhook transports, verification/reset/change flows
• Microservices: JWKS endpoint + key rotation (joserfc)
• CLI: fastauth init/version/generate-secret/providers
• uv Monorepo: Extras ([standard], [all]), Ruff (Black replacement)

Full Changelog: v0.2.6...v0.3.0

Release v0.2.6

Changed

• User.hashed_password is now nullable (str | None)
• OAuth-only users have hashed_password=NULL instead of a random password
• verify_password() returns False when password is None
• Prevents OAuth-only users from using password login

Full Changelog: v0.2.5...v0.2.6

Release v0.2.5 - CLI Tool

What's New

CLI Tool

Install with `pip install sreekarnv-fastauth[cli]`

Command	Description
fastauth check	Verify dependencies
fastauth init	Scaffold new project
fastauth generate-secret	Generate JWT secret
fastauth providers	List OAuth providers
fastauth version	Show version

Install

  pip install sreekarnv-fastauth[cli]

Usage Docs: https://sreekarnv.github.io/fastauth/guides/cli/

Full Changelog: v0.2.4...v0.2.5

Release v0.2.4 - Optional dependencies

🎉 What's Changed

Changed

• FastAPI is now a peer dependency (not installed automatically)
• httpx is now an optional dependency for OAuth providers ([oauth] extra)

Added

• Dependency compatibility module (fastauth/_compat.py)
• Updated documentation for optional dependencies

Install

  pip install sreekarnv-fastauth           # Core
  pip install sreekarnv-fastauth[oauth]    #  OAuth providers
  pip install fastapi                       # Peer dependency

Full Changelog

See CHANGELOG.md for details.

Full Changelog: v0.2.3...v0.2.4