Skip to content

Settings

All configuration lives in a single KEYSMITH dictionary in settings.py. Unspecified keys use library defaults. Unknown keys trigger warning keysmith.W002.

KEYSMITH = {
    "DEFAULT_EXPIRY_DAYS": 90,
    "ENABLE_AUDIT_LOGGING": True,
}

Settings reload automatically when Django's setting_changed signal fires (useful in tests).

Access defaults programmatically:

from keysmith.settings import KEYSMITH_DEFAULTS, keysmith_settings

Hashing

Key Default Description
HASH_BACKEND keysmith.hashers.PBKDF2SHA512TokenHasher Dotted path to hasher class
HASH_ITERATIONS 100_000 PBKDF2 iterations (minimum 10,000)

Token generation

Key Default Description
TOKEN_PREFIX "tok" Namespace in public tokens (max 246 chars)
TOKEN_SECRET_LENGTH 32 Secret length (minimum 16)
DEFAULT_EXPIRY_DAYS 90 Default lifetime in days. Falsy value → no default expiry.

Request authentication

Key Default Description
HEADER_NAME HTTP_X_KEYSMITH_TOKEN request.META key (= X-KEYSMITH-TOKEN header)
ALLOW_QUERY_PARAM False Accept token via query string
QUERY_PARAM_NAME keysmith_token Query parameter name
TRUST_PROXIES False Read client IP from X-Forwarded-For

Scopes

Key Default Description
AVAILABLE_SCOPES [] Allowlist of codenames. Empty = no restriction.
DEFAULT_SCOPES [] Applied when create_token(scopes=None)

Models

Key Default Description
TOKEN_MODEL keysmith.Token Swappable token model
AUDIT_LOG_MODEL keysmith.TokenAuditLog Swappable audit model

Audit logging

Key Default Description
ENABLE_AUDIT_LOGGING True Master switch
AUDIT_LOG_HOOK None Callable replacing DB write
AUDIT_LOG_RETENTION_DAYS None Default for prune_audit_logs

Hooks

Key Default Signature
RATE_LIMIT_HOOK None hook(request, raw_token=None)
DRF_THROTTLE_HOOK None hook(request, token=None)

Error messages

Key Default Description
DEFAULT_ERROR_MESSAGES See below User-facing strings (lazy-translated)

Built-in message keys:

Key Default text
missing_token Authentication credentials were not provided.
invalid_token Your session has expired or the token is invalid.
insufficient_scope You do not have permission to perform this action.
rate_limited Too many authentication attempts. Try again later.

Override individual keys - unspecified keys keep their defaults:

KEYSMITH = {
    "DEFAULT_ERROR_MESSAGES": {
        "invalid_token": "API token is invalid or expired.",
    },
}

Production example

KEYSMITH = {
    "HASH_ITERATIONS": 150_000,
    "DEFAULT_EXPIRY_DAYS": 60,
    "HEADER_NAME": "HTTP_X_API_TOKEN",
    "ALLOW_QUERY_PARAM": False,
    "ENABLE_AUDIT_LOGGING": True,
    "AUDIT_LOG_RETENTION_DAYS": 90,
    "TRUST_PROXIES": True,
    "TOKEN_PREFIX": "api",
    "TOKEN_SECRET_LENGTH": 40,
    "AVAILABLE_SCOPES": ["read", "write", "admin"],
    "DEFAULT_ERROR_MESSAGES": {
        "invalid_token": "API token is invalid or expired.",
    },
}

See also: Customization · Security