pico-server-auth 0.1.0__tar.gz

pico_server_auth-0.1.0/.coveragerc

@@ -0,0 +1,7 @@
+[run]
+branch = True
+source = pico_server_auth
+omit = */_version.py
+
+[report]
+show_missing = True

pico_server_auth-0.1.0/.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,24 @@
+name: Bug Report
+description: Report a bug
+labels: [bug]
+body:
+  - type: textarea
+    id: description
+    attributes: { label: Description }
+    validations: { required: true }
+  - type: textarea
+    id: steps
+    attributes: { label: Steps to Reproduce, render: python }
+    validations: { required: true }
+  - type: textarea
+    id: expected
+    attributes: { label: Expected Behavior }
+    validations: { required: true }
+  - type: input
+    id: version
+    attributes: { label: Package Version }
+    validations: { required: true }
+  - type: input
+    id: python
+    attributes: { label: Python Version }
+    validations: { required: true }

pico_server_auth-0.1.0/.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,15 @@
+name: Feature Request
+description: Suggest an improvement
+labels: [enhancement]
+body:
+  - type: textarea
+    id: problem
+    attributes: { label: Problem }
+    validations: { required: true }
+  - type: textarea
+    id: solution
+    attributes: { label: Proposed Solution }
+    validations: { required: true }
+  - type: textarea
+    id: alternatives
+    attributes: { label: Alternatives Considered }

pico_server_auth-0.1.0/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,13 @@
+## Summary
+
+## Changes
+
+-
+
+## Checklist
+
+- [ ] Tests pass (`pytest tests/ -v`)
+- [ ] Linting passes (`ruff check src/ tests/`)
+- [ ] CHANGELOG.md updated (if user-facing)
+- [ ] No new runtime dependencies
+- [ ] Single-line commit messages

pico_server_auth-0.1.0/.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"

pico_server_auth-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,67 @@
+name: CI
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install ruff
+      - run: ruff check src/ tests/
+      - run: ruff format --check src/ tests/
+
+  tests:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12", "3.13", "3.14"]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - run: pip install tox
+      - name: Run tests with coverage
+        env:
+          SETUPTOOLS_SCM_PRETEND_VERSION: "0.1.0"
+        run: |
+          tox -e cov
+          mv .coverage .coverage.${{ matrix.python-version }}
+      - uses: actions/upload-artifact@v4
+        with:
+          name: coverage-${{ matrix.python-version }}
+          path: .coverage.${{ matrix.python-version }}
+          include-hidden-files: true
+          if-no-files-found: error
+
+  coverage:
+    needs: tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - uses: actions/download-artifact@v4
+        with:
+          path: coverage-reports
+      - name: Combine and upload
+        run: |
+          pip install coverage
+          files=$(find coverage-reports -type f -name ".coverage.*")
+          if [ -z "$files" ]; then echo "No coverage files"; exit 1; fi
+          coverage combine $files
+          coverage xml
+      - uses: codecov/codecov-action@v4
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: coverage.xml

pico_server_auth-0.1.0/.github/workflows/codeql.yml

@@ -0,0 +1,21 @@
+name: CodeQL
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1"
+
+permissions:
+  security-events: write
+  contents: read
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: github/codeql-action/init@v3
+        with: { languages: python }
+      - uses: github/codeql-action/analyze@v3

pico_server_auth-0.1.0/.github/workflows/docs.yml

@@ -0,0 +1,48 @@
+name: Docs
+on:
+  push:
+    branches: [main]
+    paths: [docs/**, mkdocs.yml]
+  pull_request:
+    branches: [main]
+    paths: [docs/**, mkdocs.yml]
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pages: write
+  id-token: write
+
+concurrency:
+  group: pages
+  cancel-in-progress: false
+
+jobs:
+  validate:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with: { fetch-depth: 0 }
+      - uses: actions/setup-python@v5
+        with: { python-version: "3.12" }
+      - run: pip install -r docs/requirements.txt
+      - run: mkdocs build --strict
+
+  deploy:
+    if: github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - uses: actions/checkout@v4
+        with: { fetch-depth: 0 }
+      - uses: actions/setup-python@v5
+        with: { python-version: "3.12" }
+      - run: pip install -r docs/requirements.txt
+      - run: mkdocs build --strict --verbose
+      - uses: actions/upload-pages-artifact@v3
+        with: { path: site }
+      - id: deployment
+        uses: actions/deploy-pages@v4

pico_server_auth-0.1.0/.github/workflows/publish-to-pypi.yml

@@ -0,0 +1,24 @@
+name: Publish to PyPI
+on:
+  release:
+    types: [published]
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with: { fetch-depth: 0 }
+      - uses: actions/setup-python@v5
+        with: { python-version: "3.x" }
+      - run: pip install build
+      - run: python -m build
+      - uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          skip-existing: true
+          verify-metadata: true
+          attestations: true

pico_server_auth-0.1.0/AGENTS.md

@@ -0,0 +1,56 @@
+# pico-server-auth
+
+Embeddable auth server module for pico-boot. JWT issuance, wallet challenge/verify login, password login, and JWKS endpoint as FastAPI controllers.
+
+## Commands
+
+```bash
+pip install -e ".[test]"          # Install in dev mode
+pytest tests/ -v                  # Run tests
+pytest --cov=pico_server_auth --cov-report=term-missing tests/  # Coverage
+tox                               # Full matrix (3.11-3.14)
+```
+
+## Project Structure
+
+```
+src/pico_server_auth/
+  __init__.py          # Public API exports (ChallengeStore, InMemoryChallengeStore, ServerAuthSettings, TokenIssuer, WalletVerifier)
+  config.py            # ServerAuthSettings (@configured, prefix="server_auth", mapping="tree")
+  controllers.py       # AuthController (@controller, prefix="/auth") — jwks, challenge, wallet_login, password_login
+  challenge_store.py   # ChallengeStore protocol + InMemoryChallengeStore (@component)
+  wallet_verifier.py   # WalletVerifier (@component) — ML-DSA-65, Ed25519, secp256k1
+  token_issuer.py      # TokenIssuer (@component) — RS256 JWT signing + JWKS export
+```
+
+## Key Concepts
+
+- **`AuthController`**: FastAPI controller with `prefix="/auth"`. All endpoints are `@allow_anonymous` (public auth API).
+- **`ServerAuthSettings`**: Configured via `@configured(prefix="server_auth")`. Fields: issuer, audience, algorithm, access_token_expire_minutes, refresh_token_expire_days, challenge_ttl_seconds, auto_create_admin, admin_email, admin_password, supported_wallet_algorithms.
+- **`ChallengeStore`**: Protocol for challenge nonce storage. Default `InMemoryChallengeStore` uses dict with TTL. Replace with Redis/DB by registering a `@component` that implements the protocol.
+- **`WalletVerifier`**: Verifies wallet signatures. Lazy-loads crypto backends (`cryptography` library) on first use.
+- **`TokenIssuer`**: Generates RSA-2048 keypair at startup. Issues access tokens (configurable expiry) and refresh tokens. Exports JWKS for pico-client-auth.
+- **Embedded mode**: pico-server-auth runs inside the same pico-boot process as your app controllers.
+- **Standalone mode**: pico-server-auth runs as a dedicated auth service; other services fetch JWKS remotely.
+
+## Code Style
+
+- Python 3.11+
+- Async endpoints in controller, sync internals for crypto operations
+- Use pico-ioc's `@component`, `@configured` decorators
+- Use pico-fastapi's `@controller`, `@get`, `@post` decorators
+- Error responses: JSON `{"detail": "..."}` via FastAPI `HTTPException`
+
+## Testing
+
+- pytest + pytest-asyncio (mode=auto)
+- RSA keypair fixture for token signing
+- Mock ChallengeStore for controller tests
+- httpx AsyncClient with ASGITransport for e2e tests
+
+## Boundaries
+
+- Do not modify `_version.py`
+- Public API is defined in `__init__.py` — ChallengeStore, InMemoryChallengeStore, ServerAuthSettings, TokenIssuer, WalletVerifier
+- No direct dependency on pico-boot (uses entry point for auto-discovery)
+- Depends on pico-client-auth only for `@allow_anonymous` decorator

pico_server_auth-0.1.0/CHANGELOG.md

@@ -0,0 +1,21 @@
+# Changelog
+
+All notable changes to pico-server-auth will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.1.0] - 2026-03-28
+
+### Added
+
+- `AuthController` with `/auth/jwks`, `/auth/challenge`, `/auth/wallet`, and `/auth/login` endpoints.
+- `ServerAuthSettings` configuration with `@configured(prefix="server_auth")`.
+- `TokenIssuer` for RS256 JWT access and refresh token issuance.
+- `WalletVerifier` with support for ML-DSA-65, Ed25519, and secp256k1 signature verification.
+- `ChallengeStore` protocol with `InMemoryChallengeStore` default implementation.
+- JWKS endpoint compatible with pico-client-auth token validation.
+- Password-based admin login with configurable credentials.
+- Auto-discovery via `pico_boot.modules` entry point.
+
+[0.1.0]: https://github.com/dperezcabrera/pico-server-auth/releases/tag/v0.1.0

pico_server_auth-0.1.0/CLAUDE.md

@@ -0,0 +1,34 @@
+Read and follow ./AGENTS.md for project conventions.
+
+## Pico Ecosystem Context
+
+pico-server-auth is an embeddable auth server module for pico-boot applications. It provides:
+- JWT issuance (RS256) via `TokenIssuer`
+- Wallet challenge/verify login (ML-DSA-65, Ed25519, secp256k1) via `WalletVerifier`
+- Password-based admin login via `AuthController`
+- JWKS endpoint for pico-client-auth token validation
+- In-memory `ChallengeStore` with TTL expiry (replaceable via protocol)
+
+It uses:
+- `@component`, `@configured` from pico-ioc
+- `@controller`, `@get`, `@post` from pico-fastapi
+- `@allow_anonymous` from pico-client-auth
+- Auto-discovered via `pico_boot.modules` entry point
+
+## Key Components
+
+- **`ServerAuthSettings`**: `@configured(prefix="server_auth")` — issuer, audience, algorithm, TTLs, admin credentials, supported wallet algorithms
+- **`AuthController`**: `@controller(prefix="/auth")` — endpoints: `/auth/jwks`, `/auth/challenge`, `/auth/wallet`, `/auth/login`
+- **`TokenIssuer`**: `@component` — RSA key generation, JWT signing, JWKS export
+- **`WalletVerifier`**: `@component` — signature verification for ML-DSA-65, Ed25519, secp256k1
+- **`ChallengeStore`**: Protocol with `InMemoryChallengeStore` default (`@component(on_missing_selector=ChallengeStore)`)
+
+## Key Reminders
+
+- **NEVER change `version_scheme`** in pyproject.toml. It MUST remain `"post-release"`.
+- requires-python >= 3.11
+- Commit messages: one line only
+- Tokens issued here are compatible with pico-client-auth validation (same issuer/audience)
+- `ChallengeStore` is a Protocol — users can replace with Redis/DB by registering their own `@component`
+- `WalletVerifier` lazy-loads crypto backends to avoid hard dependencies
+- `TokenIssuer` generates a fresh RSA keypair on startup (key ID: `pico-server-auth-1`)

pico_server_auth-0.1.0/CODE_OF_CONDUCT.md

@@ -0,0 +1,35 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+
+Examples of unacceptable behavior:
+
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information without explicit permission
+* Other conduct which could reasonably be considered inappropriate
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the project maintainer at **dperezcabrera@gmail.com**.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org), version 2.1.

pico_server_auth-0.1.0/CONTRIBUTING.md

@@ -0,0 +1,37 @@
+# Contributing to pico-server-auth
+
+## Development setup
+
+```bash
+git clone https://github.com/dperezcabrera/pico-server-auth.git
+cd pico-server-auth
+python -m venv .venv && source .venv/bin/activate
+pip install -e ".[dev]"
+```
+
+## Running tests
+
+```bash
+pytest tests/ -v
+pytest --cov=pico_server_auth --cov-report=term-missing tests/
+tox
+```
+
+## Linting
+
+```bash
+ruff check src/ tests/
+ruff format src/ tests/
+```
+
+## Code style
+
+- Python 3.11+
+- See AGENTS.md for conventions
+- Single-line commit messages
+
+## What NOT to do
+
+- Don't modify `_version.py` (auto-generated)
+- Don't change `version_scheme` in pyproject.toml
+- Don't add runtime dependencies without discussion

pico_server_auth-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 David Pérez Cabrera
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

pico_server_auth-0.1.0/MANIFEST.in

@@ -0,0 +1,5 @@
+include README.md LICENSE CHANGELOG.md
+recursive-include src *.py py.typed
+recursive-include tests *.py
+exclude .gitignore Dockerfile* docker-compose*.yml Makefile
+prune build dist .tox .pytest_cache __pycache__

pico_server_auth-0.1.0/PKG-INFO

@@ -0,0 +1,169 @@
+Metadata-Version: 2.4
+Name: pico-server-auth
+Version: 0.1.0
+Summary: Embeddable auth server module for the pico ecosystem — JWT issuance, wallet login, JWKS endpoint
+Author-email: David Perez Cabrera <dperezcabrera@gmail.com>
+License: MIT
+Project-URL: Homepage, https://github.com/dperezcabrera/pico-server-auth
+Project-URL: Documentation, https://dperezcabrera.github.io/pico-server-auth/
+Project-URL: Repository, https://github.com/dperezcabrera/pico-server-auth
+Project-URL: Changelog, https://github.com/dperezcabrera/pico-server-auth/blob/main/CHANGELOG.md
+Project-URL: Issue Tracker, https://github.com/dperezcabrera/pico-server-auth/issues
+Keywords: auth,jwt,wallet,challenge-response,jwks,ml-dsa-65,ed25519,secp256k1,post-quantum,pico-ioc,pico-boot,dependency-injection
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Framework :: AsyncIO
+Classifier: Typing :: Typed
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: pico-ioc[yaml]>=2.2.0
+Requires-Dist: pico-boot>=0.1.0
+Requires-Dist: pico-fastapi>=0.1.0
+Requires-Dist: python-jose[cryptography]>=3.3.0
+Requires-Dist: cryptography>=42.0.0
+Requires-Dist: pydantic>=2.0.0
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0.0; extra == "dev"
+Requires-Dist: pytest-asyncio>=0.24.0; extra == "dev"
+Requires-Dist: pytest-cov>=5.0.0; extra == "dev"
+Requires-Dist: ruff>=0.9.0; extra == "dev"
+Requires-Dist: httpx; extra == "dev"
+Dynamic: license-file
+
+# pico-server-auth
+
+[![PyPI](https://img.shields.io/pypi/v/pico-server-auth.svg)](https://pypi.org/project/pico-server-auth/)
+[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/dperezcabrera/pico-server-auth)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+![CI](https://github.com/dperezcabrera/pico-server-auth/actions/workflows/ci.yml/badge.svg)
+[![codecov](https://codecov.io/gh/dperezcabrera/pico-server-auth/branch/main/graph/badge.svg)](https://codecov.io/gh/dperezcabrera/pico-server-auth)
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=dperezcabrera_pico-server-auth&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=dperezcabrera_pico-server-auth)
+[![Duplicated Lines (%)](https://sonarcloud.io/api/project_badges/measure?project=dperezcabrera_pico-server-auth&metric=duplicated_lines_density)](https://sonarcloud.io/summary/new_code?id=dperezcabrera_pico-server-auth)
+[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=dperezcabrera_pico-server-auth&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=dperezcabrera_pico-server-auth)
+[![PyPI Downloads](https://static.pepy.tech/personalized-badge/pico-server-auth?period=monthly&units=INTERNATIONAL_SYSTEM&left_color=BLACK&right_color=GREEN&left_text=Monthly+downloads)](https://pepy.tech/projects/pico-server-auth)
+[![Docs](https://img.shields.io/badge/Docs-pico--server--auth-blue?style=flat&logo=readthedocs&logoColor=white)](https://dperezcabrera.github.io/pico-server-auth/)
+[![Interactive Lab](https://img.shields.io/badge/Learn-online-green?style=flat&logo=python&logoColor=white)](https://dperezcabrera.github.io/pico-learn/)
+
+Embeddable auth server module for the [pico-boot](https://github.com/dperezcabrera/pico-boot) ecosystem.
+
+Issues JWT tokens, handles wallet challenge-response login, and exposes JWKS — all compatible with [pico-client-auth](https://github.com/dperezcabrera/pico-client-auth) validation.
+
+## Two deployment modes
+
+**Embedded** — add to any pico-boot app, auth runs in the same process:
+
+```python
+container = init(modules=["myapp", "pico_server_auth"], config=config)
+# /auth/jwks, /auth/challenge, /auth/wallet, /auth/login — all available
+# pico-client-auth validates tokens from the same JWKS
+```
+
+**Standalone** — deploy as a separate auth service (like pico-auth):
+
+```python
+container = init(modules=["pico_server_auth"], config=config)
+app = container.get(FastAPI)
+# Other services point pico-client-auth JWKS to this service's /auth/jwks
+```
+
+## Endpoints
+
+```
+GET  /auth/jwks           JWKS public keys (pico-client-auth fetches this)
+POST /auth/challenge      Request nonce for wallet login
+POST /auth/wallet         Verify wallet signature, issue JWT
+POST /auth/login          Password login (admin bootstrap)
+```
+
+## Wallet login flow
+
+```
+Client                    pico-server-auth
+  │                            │
+  │ POST /auth/challenge       │
+  │ { address: "0x..." }       │
+  │───────────────────────────>│
+  │ { challenge: "<nonce>" }   │
+  │<───────────────────────────│
+  │                            │
+  │ sign(nonce) with wallet    │
+  │                            │
+  │ POST /auth/wallet          │
+  │ { address, public_key,     │
+  │   signature, challenge,    │
+  │   algorithm: "ML-DSA-65" } │
+  │───────────────────────────>│
+  │ { access_token, address }  │
+  │<───────────────────────────│
+```
+
+## Supported wallet algorithms
+
+| Algorithm | Type | Library |
+|-----------|------|---------|
+| ML-DSA-65 | Post-quantum lattice (FIPS 204) | `cryptography` |
+| Ed25519 | Edwards curve | `cryptography` |
+| secp256k1 | Elliptic curve (ECDSA) | `cryptography` |
+
+## Compatibility with pico-client-auth
+
+Tokens issued by pico-server-auth are standard JWT (RS256). pico-client-auth validates them by fetching JWKS from the `/auth/jwks` endpoint.
+
+**Same process**: pico-client-auth discovers the JWKS endpoint automatically (same FastAPI app).
+
+**Separate processes**: configure pico-client-auth to point to the server:
+
+```yaml
+auth_client:
+  issuer: "http://auth-server:8100"
+  audience: "pico"
+  # JWKS fetched from http://auth-server:8100/auth/jwks
+```
+
+## Challenge store
+
+By default, challenges are stored in memory with TTL expiry. For multi-instance deployments, register a custom `ChallengeStore` component:
+
+```python
+@component
+class RedisChallengeStore:
+    async def create(self, address: str) -> str: ...
+    async def validate(self, address: str, nonce: str) -> bool: ...
+    async def cleanup(self) -> int: ...
+```
+
+The in-memory default is replaced automatically via `on_missing_selector`.
+
+## Configuration
+
+```yaml
+server_auth:
+  issuer: "http://localhost:8100"
+  audience: "pico"
+  algorithm: "RS256"
+  access_token_expire_minutes: 15
+  challenge_ttl_seconds: 60
+  supported_wallet_algorithms:
+    - "ML-DSA-65"
+    - "Ed25519"
+    - "secp256k1"
+```
+
+## Stack
+
+- [pico-ioc](https://github.com/dperezcabrera/pico-ioc) — dependency injection
+- [pico-boot](https://github.com/dperezcabrera/pico-boot) — auto-discovery
+- [pico-fastapi](https://github.com/dperezcabrera/pico-fastapi) — controllers
+- [pico-client-auth](https://github.com/dperezcabrera/pico-client-auth) — token validation
+
+## License
+
+MIT