Skip to main content
The veloiq_framework package exposes every symbol you need to build a full-stack VeloIQ application: the app factory, SQLModel base classes, a relationship wrapper with cardinality metadata, automatic CRUD router generation, role-based and row-level access control decorators, and FastAPI dependencies for auth and database sessions.

Installation


App factory

create_veloiq_app

Creates and returns a fully configured FastAPI application. When config is omitted, VeloIQConfig is constructed from environment variables and any **kwargs you pass. The returned app is a standard FastAPI instance — you can add routes, middleware, or dependencies on top.
config
VeloIQConfig | None
A VeloIQConfig instance. If None, one is built from environment variables. See Configuration.
**kwargs
Any
Forwarded to VeloIQConfig when config is not provided. Accepts the same fields as VeloIQConfig.
create_veloiq_app raises ValueError if no DATABASE_URL can be determined from the config or the environment.

Base models

All base classes extend SQLModel. Declare your tables by inheriting from one of these classes with table=True.

FrameworkModel

Minimal base model providing a standard auto-increment integer primary key named id. Use this when you do not need timestamp columns.

TimestampedModel

Extends FrameworkModel with automatic created_at and updated_at columns. The schema generator appends these two fields after all fields you declare, so they appear last in every list, form, and detail view.

StandardModel

CubicWeb-compatible base model for applications that require eid as the primary key and cw_ column naming conventions. The eid Python attribute maps to the cw_eid physical column. Use this only when migrating from CubicWeb or maintaining an existing CubicWeb schema; new applications should use FrameworkModel or TimestampedModel.

Relationships

jm_relationship

SQLModel Relationship wrapper that attaches cardinality metadata. The DynamicResource UI component reads this metadata to render required/optional indicators and pagination hints. All **kwargs are passed through to SQLModel’s Relationship.
min_items
int
default:"0"
Minimum number of related items (used for UI validation hints).
max_items
int | None
default:"None"
Maximum number of related items. None means unbounded.
required
bool
default:"False"
Whether the relation is required.
**kwargs
Any
Passed directly to SQLModel’s Relationship (e.g. back_populates, link_model).

RelationCardinality

Dataclass stored in the SQLAlchemy relationship info dict by jm_relationship. You do not normally construct this directly.

get_pk_field_name

Returns the Python attribute name for the primary key of a mapped SQLModel class. Falls back to "id" if inspection fails.

CRUD router

create_crud_router

Generates a FastAPI APIRouter with standard list, get, create, update, and delete endpoints for model_class. See CRUD Router for the full endpoint reference.
model_class
Type[T]
required
A SQLModel table class.
prefix
str | None
URL prefix for all routes. Defaults to /<tablename>.
tags
list[str] | None
OpenAPI tags. Defaults to [<tablename>].
pk_type
type
default:"int"
Python type of the primary key.

Access control

VeloIQ provides three layers of declarative access control. All are opt-in and can be combined freely.

Method set constants

RoleDef

Defines a developer-declared role. Pass a list of RoleDef objects to VeloIQConfig.roles; they are upserted to the database on startup.

DEFAULT_ROLES

Built-in role definitions used when VeloIQConfig.roles is not overridden.

model_access

Class decorator that restricts which Refine actions a role may perform on this specific model. Roles not mentioned inherit their global permissions unchanged. Exceptions are restrictive only — they can narrow access, never grant beyond a role’s global permissions.

veloiq_field

SQLModel/Pydantic field with optional per-role read and write restrictions. Wraps pydantic.Field and stores role metadata in json_schema_extra so the schema generator emits readRoles/writeRoles into TypeScript schemas. The CRUD router enforces these restrictions at runtime.
read_roles
list[str] | None
Roles allowed to read this field. Absent means all roles can read it.
write_roles
list[str] | None
Roles allowed to write this field. Absent means all roles can write it.
**kwargs
Any
Passed through to pydantic.Field (e.g. default, description).

rebac

Class decorator for row-level access control. At least one of filter, owner_field, or tenant_field must be supplied. Multiple options are OR-combined — a row is visible if any rule allows it.
filter
callable | None
A lambda (user, cls, session) -> SQLAlchemy clause | True | False | None. Return a WHERE clause for permitted rows, True for no restriction, or False to deny all rows.
owner_field
str | None
Name of a column pointing to veloiq_user.id. Shorthand for a filter that matches cls.<field> == user["eid"].
tenant_field
str | None
Name of a column pointing to veloiq_tenant.id. Grants access when the tenant is one the authenticated user belongs to.
@rebac applies to all roles, including Admin. To exempt Admins, return True from the filter when the user has the Admin role. Inaccessible rows return 404, not 403, to avoid leaking which IDs exist.

rebac_subquery

Returns a SQLAlchemy subquery of primary keys of model_class rows that user may access. Designed to be called inside a @rebac(filter=…) lambda to express relationship-based access. The target model_class must itself carry a @rebac decorator. Raises ValueError on circular dependencies.

Auth utilities

get_current_user

FastAPI dependency that returns the authenticated user payload decoded from the JWT Bearer token. The payload is a dict containing at minimum sub (user ID as string) and roles (list of role names).

require_role

FastAPI dependency that raises HTTP 403 if the authenticated user does not hold at least one of the specified roles.

get_session

FastAPI dependency that yields a sqlmodel.Session bound to the configured database engine. Use it in custom endpoints that need direct database access.

Configuration

Full VeloIQConfig field reference and environment variables.

CRUD Router

Auto-generated endpoint reference and query parameter details.