Module: auth

Utilities for ZAP authentication.

To run authentication in a background thread, see zmq.auth.thread. For integration with the tornado eventloop, see zmq.auth.ioloop. For integration with the asyncio event loop, see zmq.auth.asyncio.

New in version 14.1.


class zmq.auth.Authenticator(context=None, encoding='utf-8', log=None)

Implementation of ZAP authentication for zmq connections.


  • libzmq provides four levels of security: default NULL (which the Authenticator does not see), and authenticated NULL, PLAIN, CURVE, and GSSAPI, which the Authenticator can see.

  • until you add policies, all incoming NULL connections are allowed. (classic ZeroMQ behavior), and all PLAIN and CURVE connections are denied.

  • GSSAPI requires no configuration.


Allow (whitelist) IP address(es).

Connections from addresses not in the whitelist will be rejected.

  • For NULL, all clients from this address will be accepted.

  • For real auth setups, they will be allowed to continue with authentication.

whitelist is mutually exclusive with blacklist.

configure_curve(domain='*', location=None)

Configure CURVE authentication for a given domain.

CURVE authentication uses a directory that holds all public client certificates, i.e. their public keys.

To cover all domains, use “*”.

You can add and remove certificates in that directory at any time. configure_curve must be called every time certificates are added or removed, in order to update the Authenticator’s state

To allow all client keys without checking, specify CURVE_ALLOW_ANY for the location.

configure_curve_callback(domain='*', credentials_provider=None)

Configure CURVE authentication for a given domain.

CURVE authentication using a callback function validating the client public key according to a custom mechanism, e.g. checking the key against records in a db. credentials_provider is an object of a class which implements a callback method accepting two parameters (domain and key), e.g.:

class CredentialsProvider(object):

    def __init__(self):
        ...e.g. db connection

    def callback(self, domain, key):
        valid = ...lookup key and/or domain in db
        if valid:
  'Authorizing: {0}, {1}'.format(domain, key))
            return True
            logging.warning('NOT Authorizing: {0}, {1}'.format(domain, key))
            return False

To cover all domains, use “*”.

To allow all client keys without checking, specify CURVE_ALLOW_ANY for the location.

configure_gssapi(domain='*', location=None)

Configure GSSAPI authentication

Currently this is a no-op because there is nothing to configure with GSSAPI.

configure_plain(domain='*', passwords=None)

Configure PLAIN authentication for a given domain.

PLAIN authentication uses a plain-text password file. To cover all domains, use “*”. You can modify the password file at any time; it is reloaded automatically.


Return the User-Id corresponding to a CURVE client’s public key

Default implementation uses the z85-encoding of the public key.

Override to define a custom mapping of public key : user-id

This is only called on successful authentication.


client_public_key (bytes) – The client public key used for the given message


user_id – The user ID as text

Return type



Deny (blacklist) IP address(es).

Addresses not in the blacklist will be allowed to continue with authentication.

Blacklist is mutually exclusive with whitelist.


Perform ZAP authentication


Create and bind the ZAP socket


Close the ZAP socket


zmq.auth.create_certificates(key_dir, name, metadata=None)

Create zmq certificates.

Returns the file paths to the public and secret certificate files.


Load public and secret key from a zmq certificate.

Returns (public_key, secret_key)

If the certificate file only contains the public key, secret_key will be None.

If there is no public key found in the file, ValueError will be raised.


Load public keys from all certificates in a directory