Python SDK
Server-side Python client — verify ES256 sessions locally against JWKS, run authorization checks, and manage users and tenants.
qeetid is the server-side Python SDK. It verifies sessions locally against the public
JWKS, runs authorization checks, and manages users and tenants. Minimal dependencies:
httpx for HTTP and
cryptography for local ES256 verification. Python 3.10+.
pip install qeetidInitialize
Authenticate with a secret API key (qk_…) — server-side only.
import os
from qeetid import Qeetid, CreateUserInput
qeetid = Qeetid(api_key=os.environ["QEETID_API_KEY"])Verify a session
Local — verifies the ES256 signature against the published JWKS, then expiry/issuer/audience. No network call after the keys are cached.
claims = qeetid.sessions.verify(access_token)
# claims.user_id, claims.tenant_idAuthorize
if qeetid.can(user=claims.user_id, tenant=claims.tenant_id, permission="billing:write"):
...
# qeetid.can_all(user, tenant, permissions) → True only if all passManage users & tenants
user = qeetid.users.create(CreateUserInput(email="new@acme.com", display_name="New User"))
for u in qeetid.users.list_all():
print(u.email)users.{create,get,update,delete,set_password,list,list_all} and
tenants.{create,get,update,delete,list} are available.
Errors
Failed calls raise QeetidError (or a subclass) carrying status, code, and
request_id:
from qeetid import RateLimitError, InvalidCredentialsError
try:
qeetid.users.get("usr_missing")
except RateLimitError as e:
sleep(e.retry_after_seconds)
except InvalidCredentialsError:
rotate_api_key() # 401 — bad API key429 and idempotent 5xx are retried automatically with backoff, honoring
Retry-After.
Server-only
The Python SDK holds a qk_… API key and sends it as
Authorization: ApiKey. Never ship it to a client.