Metadata-Version: 2.4
Name: pipefy-auth
Version: 0.3.0a1
Summary: Shared OAuth/keychain helpers for Pipefy CLI and MCP server.
Requires-Python: >=3.11
Requires-Dist: httpx-auth>=0.23.1
Requires-Dist: httpx>=0.28
Requires-Dist: keyring>=24
Requires-Dist: keyrings-alt>=5
Requires-Dist: pipefy-infra
Requires-Dist: pydantic-settings>=2.8.1
Requires-Dist: pydantic<3,>=2.13.4
Requires-Dist: pyjwt[crypto]>=2.8
Description-Content-Type: text/markdown

# pipefy-auth

Shared OAuth + keychain helpers for Pipefy CLI and MCP server.

## What lives here

- **`storage`** — keychain-backed `StoredSession` (one entry per `(issuer, client_id)` tuple, under the OS keychain service name `pipefy`).
- **`flow`** — OAuth 2.0 Authorization Code with PKCE login flow.
- **`refresh`** — refresh-token grant + eager pre-use freshness check (`ensure_fresh_session`).
- **`discovery`** — OIDC `.well-known/openid-configuration` fetch + validation.
- **`revoke`** — IdP-side token invalidation (RFC 7009).
- **`identity`** — `OidcClient` dataclass + the `DEFAULT_AUTH_CLIENT_ID` constant (the registered Keycloak public client_id).

## Consumers

`pipefy-cli` and `pipefy-mcp-server` both depend on this package and read the same keychain entry, so a single `pipefy auth login` serves both binaries.
