Know the devices. Hold the sessions. Revoke at will.
Async trusted-device management and session security for FastAPI — the layer that remembers which devices are yours, keeps their sessions honest, and lets you cut any one of them off cleanly.
Authentication answers 'who are you' once. Everything after that is sessions and devices — the part attackers actually live in. Most apps treat a session as a token in a box and never ask which device is holding it or how to take it back. A session you can't revoke isn't a session, it's a liability with a timer on it.
Devices are first-class: registered, named, trusted, and revocable. Sessions are bound to devices rather than floating free, so 'sign out everywhere' and 'this wasn't me' become single, auditable operations. Built async to the core to sit in front of high-traffic FastAPI services without becoming the bottleneck. This and the passkey library are two halves of one idea. I keep them apart so each stays small.
Treating the device as the unit of trust — not just the session — is what makes revocation meaningful. It pairs naturally with the passkey work: one library proves who you are, the other governs what that proof is allowed to do, and for how long.