Configuration Options¶
Complete reference for every field on the AuthConfig dataclass. Pass these
values when calling configure() at application startup.
from tortoise_auth import AuthConfig, configure
configure(AuthConfig(
user_model="myapp.User",
signing_secret="change-me",
argon2_memory_cost=131072,
))
All fields have sensible defaults. Only user_model is required for a working
setup.
User Model¶
| Field | Type | Default | Description |
|---|---|---|---|
user_model |
str |
"" |
Dotted path to your concrete user model (e.g. "myapp.User"). Must be a subclass of AbstractUser and registered with Tortoise ORM. |
Warning
You must set user_model before calling any authentication method.
An empty string will cause runtime errors when the library attempts to
resolve the model.
Password Hashing¶
These fields control the parameters passed to the underlying password hashing algorithms. Argon2id is the primary hasher; Bcrypt and PBKDF2-SHA256 are retained for transparent auto-migration of legacy hashes.
Argon2¶
| Field | Type | Default | Description |
|---|---|---|---|
argon2_time_cost |
int |
3 |
Number of iterations (passes over memory). Higher values increase resistance to brute-force attacks at the cost of slower hashing. |
argon2_memory_cost |
int |
65536 |
Memory usage in kibibytes (KiB). The default of 65 536 KiB equals 64 MiB. Increasing this value makes GPU-based attacks significantly more expensive. |
argon2_parallelism |
int |
4 |
Degree of parallelism (number of threads). Should generally match the number of CPU cores available to the hashing process. |
Bcrypt¶
| Field | Type | Default | Description |
|---|---|---|---|
bcrypt_rounds |
int |
12 |
Work factor (log2 of the number of rounds). Each increment doubles the computation time. Used only when verifying or migrating legacy Bcrypt hashes. |
PBKDF2¶
| Field | Type | Default | Description |
|---|---|---|---|
pbkdf2_iterations |
int |
600000 |
Number of PBKDF2-SHA256 iterations. Used only when verifying or migrating legacy PBKDF2 hashes. The OWASP recommendation as of 2023 is at least 600 000. |
Tip
You rarely need to change hashing parameters unless your threat model or hardware profile demands it. The defaults follow current OWASP recommendations.
Password Validation¶
| Field | Type | Default | Description |
|---|---|---|---|
password_validators |
list[PasswordValidator] |
See below | List of validator instances that run when a password is created or changed. Each validator must conform to the PasswordValidator protocol. |
The default list contains four validators, applied in order:
| # | Validator | Behavior |
|---|---|---|
| 1 | MinimumLengthValidator() |
Rejects passwords shorter than a configurable minimum (default 8 characters). |
| 2 | CommonPasswordValidator() |
Rejects passwords that appear in a bundled list of commonly used passwords. |
| 3 | NumericPasswordValidator() |
Rejects passwords that consist entirely of digits. |
| 4 | UserAttributeSimilarityValidator() |
Rejects passwords that are too similar to the user's email or other attributes. |
Password Limits¶
| Field | Type | Default | Description |
|---|---|---|---|
max_password_length |
int |
4096 |
Maximum allowed password length in characters. Passwords exceeding this limit are rejected by set_password() (raises InvalidPasswordError) and check_password() (returns False). Prevents denial-of-service attacks via extremely long passwords that consume hashing resources. |
To replace or extend the defaults, pass your own list:
from tortoise_auth.validators.length import MinimumLengthValidator
configure(AuthConfig(
user_model="myapp.User",
password_validators=[
MinimumLengthValidator(min_length=12),
],
))
Token Settings¶
| Field | Type | Default | Description |
|---|---|---|---|
access_token_lifetime |
int |
900 |
Access token lifetime in seconds. The default of 900 seconds equals 15 minutes. |
refresh_token_lifetime |
int |
604800 |
Refresh token lifetime in seconds. The default of 604 800 seconds equals 7 days. |
token_length |
int |
64 |
Length in bytes of the random opaque token generated for each access and refresh token. The raw bytes are hex-encoded before being returned to the client, so the visible token string will be twice this length. |
max_tokens_per_user |
int |
100 |
Maximum number of active (non-revoked) access tokens per user. When exceeded, the oldest tokens are automatically revoked to stay within the limit. This prevents unbounded token accumulation from repeated logins without logout. |
Signing (HMAC)¶
These fields configure the HMAC-SHA256 signing utilities (Signer,
TimestampSigner, make_token, and verify_token) used for email-confirmation
links, password-reset URLs, and other signed payloads.
| Field | Type | Default | Description |
|---|---|---|---|
signing_secret |
str |
"" |
Secret key used for HMAC-SHA256 signing. This is also used by the effective_signing_secret property. |
signing_token_lifetime |
int |
86400 |
Default maximum age in seconds for signed tokens. The default of 86 400 seconds equals 24 hours. Individual calls to verify_token can override this via the max_age keyword argument. |
JWT Settings¶
These fields configure the JWT token backend (JWTBackend). They are only
relevant when using the JWT backend — the database backend ignores them.
| Field | Type | Default | Description |
|---|---|---|---|
jwt_secret |
str |
"" |
Secret key for signing JWTs with HMAC-SHA256. If empty, falls back to signing_secret. |
jwt_algorithm |
str |
"HS256" |
JWT signing algorithm. Only HMAC algorithms (HS256, HS384, HS512) are supported. |
jwt_issuer |
str |
"" |
Value for the iss (issuer) claim. When set, tokens include this claim and verification requires a matching issuer. Leave empty to omit. |
jwt_audience |
str |
"" |
Value for the aud (audience) claim. When set, tokens include this claim and verification requires a matching audience. Leave empty to omit. |
jwt_blacklist_enabled |
bool |
False |
Enable the database-backed blacklist for JWT revocation. When False, revoke_token() and revoke_all_for_user() are no-ops. |
Tip
The access_token_lifetime and refresh_token_lifetime fields from the
Token Settings section are also used by the JWT backend
to set the exp claim on issued tokens.
Validation Rules¶
Calling AuthConfig.validate() can be used to enforce configuration constraints
at startup.
Tip
Call config.validate() immediately after constructing your config in your
startup code. This catches problems before the first request arrives.
Full Example¶
A production-style configuration that sets every field explicitly:
import os
from tortoise_auth import AuthConfig, configure
from tortoise_auth.validators.length import MinimumLengthValidator
from tortoise_auth.validators.common import CommonPasswordValidator
from tortoise_auth.validators.numeric import NumericPasswordValidator
from tortoise_auth.validators.similarity import UserAttributeSimilarityValidator
configure(AuthConfig(
# User model
user_model="myapp.User",
# Argon2 (primary hasher)
argon2_time_cost=3,
argon2_memory_cost=65536,
argon2_parallelism=4,
# Bcrypt (legacy migration)
bcrypt_rounds=12,
# PBKDF2 (legacy migration)
pbkdf2_iterations=600_000,
# Password validation
password_validators=[
MinimumLengthValidator(min_length=10),
CommonPasswordValidator(),
NumericPasswordValidator(),
UserAttributeSimilarityValidator(),
],
# Token settings
access_token_lifetime=900, # 15 minutes
refresh_token_lifetime=604_800, # 7 days
token_length=64,
max_tokens_per_user=100,
# Password limits
max_password_length=4096,
# Signing
signing_secret=os.environ["AUTH_SIGNING_SECRET"],
signing_token_lifetime=86_400, # 24 hours
# JWT (only needed when using JWTBackend)
jwt_secret=os.environ.get("AUTH_JWT_SECRET", ""),
jwt_algorithm="HS256",
jwt_issuer="myapp",
jwt_audience="myapi",
jwt_blacklist_enabled=True,
))