Skip to content
GitHub

Configuration

The configuration section key is auth. Values are read from YAML, environment variables (LEX_AUTH__*), or passed directly to AuthConfig(...).

Root: AuthConfig

Section titled “Root: AuthConfig”
KeyTypeDefaultEnv VarDescription
enabledboolTrueLEX_AUTH__ENABLEDEnable auth module
secret_keystr(required)LEX_AUTH__SECRET_KEYSecret key for signing tokens
admin_emailstrNoneLEX_AUTH__ADMIN_EMAILInitial admin email
admin_passwordstrNoneLEX_AUTH__ADMIN_PASSWORDInitial admin password
login_rate_limitstr"5/minute"LEX_AUTH__LOGIN_RATE_LIMITRate limit for login endpoints
max_sessions_per_userintNoneLEX_AUTH__MAX_SESSIONS_PER_USERMax concurrent sessions (None = unlimited)
userslist[AuthUserConfig][]Bootstrap users
rolesdict[str, AuthRoleConfig]{}RBAC role definitions
oauth2_providersdict[str, dict]{}OAuth2 provider configs (client_id, client_secret, etc.)

rbac: RBACConfig

Section titled “rbac: RBACConfig”
KeyTypeDefaultEnv VarDescription
enabledboolTrueLEX_AUTH__RBAC__ENABLEDEnable RBAC enforcement
superuser_bypassboolTrueLEX_AUTH__RBAC__SUPERUSER_BYPASSSuperuser bypasses all checks
default_rolestr"viewer"LEX_AUTH__RBAC__DEFAULT_ROLEDefault role for new users
cache_permissionsboolTrueLEX_AUTH__RBAC__CACHE_PERMISSIONSCache resolved permissions
permission_cache_ttlint300LEX_AUTH__RBAC__PERMISSION_CACHE_TTLPermission cache TTL (seconds)

token: JWTConfig

Section titled “token: JWTConfig”
KeyTypeDefaultEnv VarDescription
secret_keystr(required)LEX_AUTH__TOKEN__SECRET_KEYJWT signing secret
algorithmstr"HS256"LEX_AUTH__TOKEN__ALGORITHMSigning algorithm
access_token_expireDuration30 minutesLEX_AUTH__TOKEN__ACCESS_TOKEN_EXPIREAccess token lifetime
refresh_token_expireDuration7 daysLEX_AUTH__TOKEN__REFRESH_TOKEN_EXPIRERefresh token lifetime
id_token_expireDuration1 hourLEX_AUTH__TOKEN__ID_TOKEN_EXPIREID token lifetime
key_rotation_grace_periodDuration300 secondsLEX_AUTH__TOKEN__KEY_ROTATION_GRACE_PERIODGrace period for rotated keys
required_audiencestrNoneLEX_AUTH__TOKEN__REQUIRED_AUDIENCERequired aud claim
allow_unverified_devboolFalseLEX_AUTH__TOKEN__ALLOW_UNVERIFIED_DEVAllow unverified decode in dev

password: PasswordConfig

Section titled “password: PasswordConfig”
KeyTypeDefaultEnv VarDescription
min_lengthint12LEX_AUTH__PASSWORD__MIN_LENGTHMinimum password length
max_lengthint128LEX_AUTH__PASSWORD__MAX_LENGTHMaximum password length
require_uppercaseboolTrueLEX_AUTH__PASSWORD__REQUIRE_UPPERCASERequire uppercase letter
require_lowercaseboolFalseLEX_AUTH__PASSWORD__REQUIRE_LOWERCASERequire lowercase letter
require_digitsboolTrueLEX_AUTH__PASSWORD__REQUIRE_DIGITSRequire digit
require_specialboolFalseLEX_AUTH__PASSWORD__REQUIRE_SPECIALRequire special character
banned_patternslist[str][]Case-insensitive banned substrings

middleware: AuthMiddlewareConfig

Section titled “middleware: AuthMiddlewareConfig”
KeyTypeDefaultEnv VarDescription
backendstr"session"LEX_AUTH__MIDDLEWARE__BACKENDAuth backend type
header_namestr"Authorization"LEX_AUTH__MIDDLEWARE__HEADER_NAMEHeader for token
schemestr"Bearer"LEX_AUTH__MIDDLEWARE__SCHEMEToken scheme
optional_authboolFalseLEX_AUTH__MIDDLEWARE__OPTIONAL_AUTHAuth is optional
login_urlstrNoneLEX_AUTH__MIDDLEWARE__LOGIN_URLLogin redirect URL
login_rate_limitstr"5/minute"LEX_AUTH__MIDDLEWARE__LOGIN_RATE_LIMITRate limit
exclude_pathslist[str][]Paths excluded from auth
exclude_prefixeslist[str][]Path prefixes excluded

YAML Example

Section titled “YAML Example”
auth:
  secret_key: "${LEX_AUTH__SECRET_KEY}"
  login_rate_limit: "10/minute"
  max_sessions_per_user: 3


  rbac:
    enabled: true
    superuser_bypass: true
    default_role: "viewer"


  token:
    algorithm: "RS256"
    access_token_expire: "15m"
    refresh_token_expire: "7d"
    required_audience: "my-service"


  password:
    min_length: 12
    require_uppercase: true
    require_digits: true
    banned_patterns:
      - "password"
      - "123456"


  oauth2_providers:
    google:
      client_id: "${GOOGLE_CLIENT_ID}"
      client_secret: "${GOOGLE_CLIENT_SECRET}"

Environment Variables

Section titled “Environment Variables”
Terminal window
# Required
export LEX_AUTH__SECRET_KEY="your-256-bit-secret"
export LEX_AUTH__TOKEN__SECRET_KEY="your-256-bit-secret"


# RBAC
export LEX_AUTH__RBAC__ENABLED=true
export LEX_AUTH__RBAC__DEFAULT_ROLE="admin"


# JWT
export LEX_AUTH__TOKEN__ALGORITHM="RS256"
export LEX_AUTH__TOKEN__ACCESS_TOKEN_EXPIRE="30m"


# Password policy
export LEX_AUTH__PASSWORD__MIN_LENGTH=12
export LEX_AUTH__PASSWORD__REQUIRE_UPPERCASE=true


# Middleware
export LEX_AUTH__MIDDLEWARE__OPTIONAL_AUTH=false