Phishing-resistant login, without owning your auth.
Passkeys / WebAuthn for FastAPI. It performs the cryptographically sensitive ceremony — challenge issuance, signature verification, clone detection — and hands control back to you. Secure by default; out of your way by design.
WebAuthn is the strongest mainstream authentication we have and the easiest to implement subtly wrong. Skip an origin check, reuse a challenge, ignore the signature counter, and you have built a lock that looks closed and isn't. Secure-by-default means the unsafe path should be the one you have to go out of your way to take.
The library owns exactly one thing: ceremony verification. Single-use, TTL-bound challenges. Strict origin and relying-party validation. A monotonic signature counter that detects cloned authenticators. Credential and challenge storage sit behind async protocols, with in-memory, stateless, SQLAlchemy, and Redis adapters supplied. The clone-detection ratchet only turns one direction — like the counter it models. I drew it that way because that's what it is.
It is auth-agnostic and ORM-agnostic on purpose. It verifies the passkey and returns the user — your session, your JWT, your database, your call, exposed through explicit hooks. Owning only the hard security problem is the whole point: a library should be small where it is dangerous and silent everywhere else. Alpha, and I say so. An archive records the date and the revision; it doesn't pretend the ink is older than it is.