memberapi.ose.tw backend

Quick start

cd backend
python -m venv .venv
source .venv/bin/activate
pip install -e .
cp .env.example .env
./scripts/start_dev.sh

Required DB setup

1. Initialize API client whitelist table with docs/API_CLIENTS_SQL.sql.
2. Initialize core tables with backend/scripts/init_schema.sql.
3. Generate api_key_hash and update api_clients records, e.g.:

python scripts/generate_api_key_hash.py 'YOUR_PLAIN_KEY'

Authentik JWT setup

• Configure at least one of:
  • AUTHENTIK_JWKS_URL
  • AUTHENTIK_ISSUER (the service infers <issuer>/jwks/)
• Optional:
  • AUTHENTIK_AUDIENCE (enables audience claim validation)
  • AUTHENTIK_CLIENT_ID (used by /auth/login, fallback to AUTHENTIK_AUDIENCE)
  • AUTHENTIK_CLIENT_SECRET (required if your access/id token uses HS256 signing)
  • AUTHENTIK_TOKEN_ENDPOINT (default: <AUTHENTIK_BASE_URL>/application/o/token/)
  • AUTHENTIK_USERINFO_ENDPOINT (optional, default inferred from issuer/base URL; used to fill missing email/name claims)

Authentik Admin API setup

• Required for /internal/authentik/users/ensure:
  • AUTHENTIK_BASE_URL
  • AUTHENTIK_ADMIN_TOKEN
  • AUTHENTIK_VERIFY_TLS

Main APIs

• GET /healthz
• GET /auth/oidc/url
• POST /auth/oidc/exchange
• GET /me (Bearer token required)
• GET /me/permissions/snapshot (Bearer token required)
• POST /internal/users/upsert-by-sub
• GET /internal/permissions/{authentik_sub}/snapshot
• POST /internal/authentik/users/ensure
• POST /admin/permissions/grant
• POST /admin/permissions/revoke
• GET|POST /admin/systems
• GET|POST /admin/modules
• GET|POST /admin/companies
• GET|POST /admin/sites
• GET /admin/members
• GET|POST /admin/permission-groups
• POST|DELETE /admin/permission-groups/{group_key}/members/{authentik_sub}
• POST /admin/permission-groups/{group_key}/permissions/grant|revoke
• GET /internal/systems
• GET /internal/modules
• GET /internal/companies
• GET /internal/sites
• GET /internal/members