Sentinel¶
An authentication proxy and authorization microservice. Sentinel handles OAuth2/OIDC authentication from external IdPs, multi-tenant workspace management, and fine-grained Zanzibar-style permissions so you can focus on your application logic.
Built with FastAPI, SQLAlchemy 2.0 (async), PostgreSQL 16, Redis 7, and Authlib.
-
AuthZ Mode (Recommended)
Your app handles IdP login directly (Google, GitHub, EntraID). Sentinel validates the IdP token and issues an authorization JWT. Dual-token design with
idp_subbinding. -
Multi-Tenant Workspaces
Isolate users, groups, and resources by workspace. Role-based access at the workspace level with
owner,admin,editor, andviewerroles embedded in every JWT. -
Zanzibar-Style Permissions
Generic resource permissions with
service_name,resource_type, andresource_id. Check access, list accessible resources, and share via ACLs. -
Custom RBAC
Define service actions (
notes:export,reports:generate), create roles, assign to users. Check permissions at runtime with a single dependency. -
Python SDK
pip install sentinel-auth-sdkand integrate in minutes. Middleware, FastAPI dependencies, permission and role clients with a typed async API. -
JS / TS SDK
Three packages for browser, React, and Next.js. Token management, auth-aware fetch, React hooks, Edge Middleware, and server-side JWT verification.
Quick integration¶
from sentinel_auth import Sentinel
sentinel = Sentinel(
base_url="http://localhost:9003",
service_name="my-app",
service_key="sk_...",
mode="authz",
idp_jwks_url="https://www.googleapis.com/oauth2/v3/certs",
)
app = FastAPI(lifespan=sentinel.lifespan)
sentinel.protect(app)
@app.get("/projects")
async def list_projects(user=Depends(sentinel.require_user)):
return await get_projects(user.workspace_id)
Get started¶
-
Quickstart
Run Sentinel, configure an IdP, and connect your first app in 5 minutes.
-
Tutorials
Build a Team Notes app with all three authorization tiers.