memberapi.ose.tw backend
Quick start
cd backend
python -m venv .venv
source .venv/bin/activate
pip install -e .
cp .env.example .env
./scripts/start_dev.sh
Required DB setup
- Initialize API client whitelist table with
docs/API_CLIENTS_SQL.sql. - Initialize core tables with
backend/scripts/init_schema.sql. - Generate
api_key_hashand updateapi_clientsrecords, e.g.:
python scripts/generate_api_key_hash.py 'YOUR_PLAIN_KEY'
Authentik JWT setup
- Configure at least one of:
AUTHENTIK_JWKS_URLAUTHENTIK_ISSUER(the service infers<issuer>/jwks/)
- Optional:
AUTHENTIK_AUDIENCE(enables audience claim validation)AUTHENTIK_CLIENT_ID(used by/auth/login, fallback toAUTHENTIK_AUDIENCE)AUTHENTIK_CLIENT_SECRET(required if your access/id token uses HS256 signing)AUTHENTIK_TOKEN_ENDPOINT(default:<AUTHENTIK_BASE_URL>/application/o/token/)AUTHENTIK_USERINFO_ENDPOINT(optional, default inferred from issuer/base URL; used to fill missing email/name claims)
Authentik Admin API setup
- Required for
/internal/authentik/users/ensure:AUTHENTIK_BASE_URLAUTHENTIK_ADMIN_TOKENAUTHENTIK_VERIFY_TLS
Main APIs
GET /healthzPOST /auth/loginGET /me(Bearer token required)GET /me/permissions/snapshot(Bearer token required)POST /internal/users/upsert-by-subGET /internal/permissions/{authentik_sub}/snapshotPOST /internal/authentik/users/ensurePOST /admin/permissions/grantPOST /admin/permissions/revokeGET|POST|PATCH /admin/organizations...GET|POST|PATCH /admin/members...GET|POST|DELETE /admin/members/{member_id}/organizations...GET /internal/membersGET /internal/members/by-sub/{authentik_sub}GET /internal/organizationsGET /internal/organizations/by-code/{org_code}GET /internal/members/{member_id}/organizations