Module: auth.ioloop

ZAP Authenticator integrated with the tornado IOLoop.

New in version 14.1.


class zmq.auth.ioloop.IOLoopAuthenticator(context=None, encoding='utf-8', log=None, io_loop=None)

ZAP authentication for use in the tornado IOLoop


Allow (whitelist) IP address(es).

Connections from addresses not in the whitelist will be rejected.

  • For NULL, all clients from this address will be accepted.
  • For real auth setups, they will be allowed to continue with authentication.

whitelist is mutually exclusive with blacklist.

configure_curve(domain='*', location=None)

Configure CURVE authentication for a given domain.

CURVE authentication uses a directory that holds all public client certificates, i.e. their public keys.

To cover all domains, use “*”.

You can add and remove certificates in that directory at any time.

To allow all client keys without checking, specify CURVE_ALLOW_ANY for the location.

configure_gssapi(domain='*', location=None)

Configure GSSAPI authentication

Currently this is a no-op because there is nothing to configure with GSSAPI.

configure_plain(domain='*', passwords=None)

Configure PLAIN authentication for a given domain.

PLAIN authentication uses a plain-text password file. To cover all domains, use “*”. You can modify the password file at any time; it is reloaded automatically.


Deny (blacklist) IP address(es).

Addresses not in the blacklist will be allowed to continue with authentication.

Blacklist is mutually exclusive with whitelist.


Perform ZAP authentication


Start ZAP authentication


Stop ZAP authentication