Architecture¶
deadbolt is a single async-first core with everything concrete pushed behind an interface.
native request ──▶ AuthRequest ──▶ handle() ──▶ AuthResponse ──▶ native response
│
endpoint registry (async callables)
│
DB adapter · session manager · hasher · hooks · plugins
The framework-agnostic contract¶
Python has no universal request/response object, so deadbolt mints its own. The core is one function:
AuthRequest and AuthResponse are plain dataclasses (method, path, headers, query, cookies, raw
body / status, headers, body, cookies). Each web framework gets a ~30-line adapter that translates
its native request into an AuthRequest, awaits handle, and applies the response — including
cookies — through the framework's own cookie API. See FastAPI and
Flask.
Because the contract is a dataclass and not raw ASGI, the same endpoints are also plain callables
(auth.api.*), giving you a server-side API with no HTTP.
ASGI and WSGI from one core¶
The core is async. ASGI frameworks (FastAPI, Starlette) await handle directly. WSGI frameworks
(Flask, classic Django) are served through a single long-lived anyio BlockingPortal — one
background thread running one event loop — so synchronous request handlers can drive the async core
without per-call loop churn. Auth.handle_sync() is the sync entry point.
The pieces¶
| Piece | Role |
|---|---|
Auth |
The one object you configure; exposes handle, handle_sync, api, and sessions. |
| Endpoint registry | Maps (method, path) to async handlers; core endpoints plus every plugin's. |
| Router | Runs pre-flight checks (CSRF, rate limit, body size), before-hooks, the handler, after-hooks; serializes to AuthResponse and emits an audit line. |
| Database adapter | A Protocol for CRUD over user/session/account/verification and plugin tables. See Adapters. |
| Session manager | Creates, validates, rotates, and revokes sessions; builds signed cookies. See Sessions. |
| Plugins | Add endpoints, tables, and hooks. See Plugins. |
| Hooks | Before/after request interception. See Hooks. |
Data model¶
Four core tables: user (id, email, email_verified, name, image, timestamps), session (id,
user_id, hashed token, expiry, ip/user-agent), account (credential or OAuth provider rows,
password hash), and verification (short-lived tokens for reset/verify/OTP challenges). Plugins
add their own tables via Plugin.schema; the CLI generates DDL for the whole set.