v1.0.4

• Add a guardpost.protection namespace with classes offering a strategy for brute-force protection against authentication attempts, and to log all failed authentication attempts consistently.
• Add an InvalidCredentialsError exception. AuthenticationHandler implementations can raise InvalidCredentialsError when invalid credentials are provided, to enable automatic logging and, if enabled, brute-force protection.
• Add RateLimiter class that can block authentication attempts after a configurable threshold is exceeded. By default stores failed attempts in-memory.
• Integrate RateLimiter into AuthenticationStrategy with automatic tracking of failed authentication attempts and support for blocking excessive requests.
• Add Python 3.14 and remove 3.9 from the build matrix.
• Drop support for Python 3.9 (it reached EOL in October 2025).
• Add an optional dependency on essentials, to use its Secret class to handle secrets for JWT validation with symmetric encryption. This is useful to support rotating secrets by updating env variables.
• Improve exceptions raised for invalid JWTs to include the source exception (exc.__cause__).

v1.0.3

• Add a roles property to the Identity object.
• Add a RolesRequirement class to authorize by sufficient roles (any one is enough).
• Add support for validating JWTs signed using symmetric encryption (SymmetricJWTValidator and AsymmetricJWTValidator).
• Add support to call the authorize method with an optional set of roles, treated as sufficient roles to succeed authorization.
• Add Python 3.12 and 3.13 to the build matrix.
• Remove Python 3.8 from the build matrix.
• Improve pyproject.toml.
• Workflow maintenance.

v1.0.2

• Raises a more specific exception ForbiddenError when the user of an
  operation is authenticated properly, but authorization fails.
  This enables better handling of authorization errors, differentiating when the
  user context is missing or invalid, and when the context is valid but the
  user has no rights to do a certain operation. See #371.

v1.0.1

• Improves the automatic rotation of JWKS: when validating JWTs, JWKS are
  refreshed automatically if an unknown kid is encountered, and JWKS were
  last fetched more than refresh_time seconds ago (by default 120 seconds).
• Corrects an inconsistency in how claims are read in the User class.

v1.0.0

• Adds built-in support for dependency injection, using the new ContainerProtocol
  in rodi v2.
• Partially removes the synchronous code API, maintaining only the asynchronous code API for AuthenticationStrategy.authenticate and AuthorizationStrategy.authorize (authentication handlers and authorization requirements can still be synchronous).
• Replaces setup.py with pyproject.toml.
• Reduces imports verbosity.
• Improves the identity_getter code API.
• Corrects Identity.__getitem__ to raise KeyError if a claim is missing.

⚠️ Contains breaking changes

v0.0.2-alpha.1

Test release for the new package using the new name neoteroi-auth and the new namespace.
Please refer to the CHANGELOG for more information.

v0.0.9

• Adds sub, access_token, and refresh_token properties to the Identity
  class
• Adds py.typed file

v0.0.8

• Adds classes to handle JWTs validation, but only for RSA keys
• Includes Python 3.10 in the CI/CD matrix
• Enforces black and isort in the CI pipeline
• Fixes issue (wrong arrangement in test) #5

v0.0.7

v0.0.7 :grapes:

v0.0.6

v0.0.6 :octocat: