litestar-authentication
Authentication
Execution Workflow
- Choose the identity mechanism first: session, JWT header, JWT cookie, OAuth2 password bearer, or custom middleware based on client and trust boundaries.
- Attach authentication once at app scope with
on_app_initor middleware. - Configure exclusion rules explicitly for login, schema, health, and other public routes.
- Use
request.userandrequest.authonly after authentication has been established. - Apply guards separately for authorization checks.
- Keep missing or invalid credential behavior consistent with the exception-handling strategy.
Core Rules
- Keep authentication separate from request parsing and authorization.
- Let request parsing validate input fields before auth-specific business logic where possible.
- Prefer built-in security backends before custom middleware.
- Use custom middleware only when the identity source does not fit a built-in backend.
- Treat
request.userandrequest.authas authenticated context, not parsing shortcuts. - Keep exclusion rules narrow and reviewable.
More from alti3/litestar-skills
litestar-responses
Build Litestar responses with typed return values, explicit Response containers, layered response classes, headers, cookies, status-code control, redirects, files, streams, server-sent events, ASGI app returns, and background tasks. Use when shaping outbound HTTP behavior, correcting response contracts, or choosing the right Litestar response primitive. Do not use for request parsing, validation, or authentication policy design.
22litestar-logging
Configure Litestar logging with `LoggingConfig`, `queue_listener`, exception logging policy, selective stack-trace suppression, standard logging, picologging, Structlog, and custom logging config subclasses. Use when establishing or refactoring application logging behavior, request-level logs, or production-safe error logging in Litestar. Do not use for metrics/tracing instrumentation or exception-response contract design.
22litestar-middleware
Design and apply Litestar middleware for cross-cutting concerns such as CORS, CSRF, allowed-host checks, compression, rate limiting, logging, sessions, request enrichment, policy enforcement, and custom ASGI pipeline control. Use when behavior must wrap broad route sets consistently across the ASGI stack. Do not use for route-specific business rules, simple response mutation better handled by lifecycle hooks, or auth/guard policy work that belongs in security-focused skills.
20litestar-routing
Design and implement Litestar routing with app/router/controller composition, handler decorators, path and parameter modeling, route indexing/reverse lookups, ASGI mounting, and layered route metadata. Use when creating or refactoring endpoint topology and URL contracts. Do not use for purely internal service logic unrelated to HTTP route structure.
18litestar-dto
Configure Litestar DTO behavior for inbound parsing and outbound serialization, including layer-scoped `dto`/`return_dto`, `DTOConfig` policies, `DTOData` update workflows, and custom `AbstractDTO` implementations. Use when API payload contracts differ from internal model structures. Do not use when internal models can be exposed safely without transformation.
18litestar-openapi
Configure Litestar OpenAPI schema generation and documentation UX with `OpenAPIConfig`, route-level schema metadata, schema generation controls, operation customization, UI render plugins, and documentation endpoint strategy. Use when API contract and docs quality must be implemented or corrected, especially for request, auth, and metrics surfaces. Do not use for runtime business logic changes unrelated to schema or documentation.
17