A minimal, spec-first, framework-agnostic, async-only JWT validator with zero network dependencies.
Project description
async-jwt-core
A minimal, spec-first, framework-agnostic, async-only JWT validator with zero network dependencies.
๐ Why async-jwt-core? (The Problem We Solve)
In the modern Python async ecosystem, validating JWTs using JSON Web Key Sets (JWKS) usually forces you into one of two bad situations:
- Framework Lock-in: Libraries tied directly to FastAPI, Starlette, or Django.
- Opinionated I/O: Libraries that insist on making network calls for you (often using specific HTTP clients) to fetch keys.
async-jwt-core solves this by doing exactly one thing perfectly: Pure Cryptographic Validation without I/O.
We provide the core validation logic. You bring the keys. This gives you absolute control over how keys are fetched, cached, and stored, while ensuring your event loop never blocks.
๐ก Core Examples: Why You Should Use It
1. The Direct Approach (FastAPI Dependency)
Validate a token in FastAPI without letting the JWT library block your event loop with hidden network calls.
from fastapi import FastAPI, Depends, HTTPException, Request
from async_jwt_core import Validator, ValidationError
app = FastAPI()
validator = Validator(algorithms=["RS256"])
@app.get("/protected")
async def protected_route(request: Request):
try:
# Extract token from request headers
token = Validator.extract_token(request)
# YOU fetch the keys (e.g., from Redis). No hidden I/O!
jwks = await my_custom_key_fetcher()
# Validate!
claims = await validator.validate(token, jwks)
return {"message": f"Welcome {claims.sub}!"}
except ValidationError as e:
raise HTTPException(status_code=401, detail=str(e))
2. The Middleware Approach (FastAPI)
Just like you add CORSMiddleware, you can add our FastAPIMiddleware to protect all routes automatically!
from fastapi import FastAPI
from async_jwt_core import Validator
from async_jwt_core.middleware import FastAPIMiddleware
app = FastAPI()
# 1. Initialize validator (Uses ASYNC_JWT_ISSUER from ENV)
validator = Validator(algorithms=["RS256"])
# 2. Add middleware just like CORSMiddleware!
app.add_middleware(
FastAPIMiddleware,
validator=validator,
jwks={"keys": [...]} # Pass your JWKS here
)
@app.get("/protected")
async def protected_route(request: Request):
# Claims are automatically attached to request.state!
claims = request.state.user_claims
return {"message": f"Hello {claims.sub}"}
๐ Feature Showcase: Why We Are the Best
Here is a comparison of why async-jwt-core is the ultimate choice for modern Python web applications:
| Feature / Capability | Standard PyJWT | Framework Libs | async-jwt-core |
|---|---|---|---|
| Async Native | โ (Sync only) | ๐ก (Sometimes) | โ |
| Zero I/O (Absolute Control) | โ | โ (Often fetches keys) | โ |
| No Framework Lock-in | โ | โ (FastAPI/Django only) | โ |
| Extensible Algorithms | โ (Hard to add) | โ (Hard to add) | โ |
| In-built Middlewares | โ | โ | โ (FastAPI, Flask, Django) |
| In-built Rate Limiting | โ | โ | โ (Token Bucket) |
| JWE Decryption | โ | โ | โ (RSA-OAEP + AES-GCM) |
| Token Creation (Signing) | โ | โ | โ |
| Role & Scope Validation (RBAC) | โ (Do it yourself) | โ (Do it yourself) | โ |
| Access IDs Validation | โ (Do it yourself) | โ (Do it yourself) | โ |
| Session ID Validation | โ (Do it yourself) | โ (Do it yourself) | โ |
๐ Environment Variables Configuration
You can configure the default behavior of the Validator using environment variables. This is useful for containerized applications and avoiding hardcoded secrets in code.
All variables use the ASYNC_JWT_ prefix to avoid conflicts:
| Variable | Description | Default | Example |
|---|---|---|---|
ASYNC_JWT_ALGORITHMS |
Comma-separated list of allowed algorithms. | RS256 |
RS256,HS256 |
ASYNC_JWT_ISSUER |
The expected issuer (iss) claim. |
None |
https://auth.example.com |
ASYNC_JWT_AUDIENCE |
The expected audience (aud) claim. |
None |
my-api-audience |
How to use them:
Just set them in your OS or .env file:
export ASYNC_JWT_ALGORITHMS="RS256,HS256"
export ASYNC_JWT_ISSUER="https://auth.yourdomain.com"
export ASYNC_JWT_AUDIENCE="your-app-audience"
And initialize the validator without arguments:
from async_jwt_core import Validator
# Automatically picks up values from the environment variables!
validator = Validator()
โจ Key Features
- ๐ Zero Network I/O โ Keys are fetched externally.
- โก Async-Only API โ Designed from the ground up for
asyncio. - ๐งฉ Framework Agnostic โ Works with FastAPI, Sanic, aiohttp, Flask, or Django.
- ๐ฏ Custom Claim Validation โ Pass your own validation functions.
- ๐ฆ Ultra Lightweight โ Only depends on
cryptography.
๐ Supported Algorithms
We support a vast range of modern cryptographic algorithms out of the box (13 total):
HS256, HS384, HS512, RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, EdDSA.
๐ฌ How to Test Your Application
Testing an application that uses async-jwt-core is easy. You can mock the Validator or create valid tokens for testing using Encoder.
Here is an example using pytest and httpx to test a FastAPI endpoint:
import pytest
from httpx import AsyncClient
from async_jwt_core import Encoder
@pytest.mark.asyncio
async def test_protected_route():
from my_app import app # Import your FastAPI app
# 1. Create a valid token for testing
header = {"alg": "HS256", "kid": "test-key"}
payload = {"sub": "user123", "roles": ["admin"]}
secret = "my-test-secret"
token = Encoder.create_token(header, payload, secret)
# 2. Call your protected endpoint
async with AsyncClient(app=app, base_url="http://test") as ac:
response = await ac.get(
"/protected",
headers={"Authorization": f"Bearer {token}"}
)
assert response.status_code == 200
assert response.json()["message"] == "Welcome user123!"
๐ Examples (References for Users)
We provide full working examples in the GitHub repository:
- ๐ Basic Usage: Shows how to create and validate a token.
- ๐ FastAPI Demo: Shows how to integrate with FastAPI.
- ๐ถ๏ธ Flask Demo: Shows how to use it in Flask.
- ๐ธ Django Demo: Shows how to use it in Django.
๐ ๏ธ Installation
uv add async-jwt-core
๐ Project Links & Resources
- ๐ฆ PyPI: https://pypi.org/project/async-jwt-core/
- ๐ GitHub: https://github.com/Bishwajitgarai/async-jwt-core
๐ค Contributing
We welcome contributions! This is an open-source project designed to make async JWT validation better for everyone. If you have ideas for new features, bug fixes, or improvements, feel free to open an issue or submit a pull request on GitHub!
๐ค Author
Developed and maintained by Bishwajit Garai.
๐ License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file async_jwt_core-0.2.9.tar.gz.
File metadata
- Download URL: async_jwt_core-0.2.9.tar.gz
- Upload date:
- Size: 17.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5f53c984d44b3200d078ebfef0b92f2e502fde90fc7c0d30b29b39e07fe79d63
|
|
| MD5 |
7d5e3f871b2c3d26115505e564f1a694
|
|
| BLAKE2b-256 |
6df4d7feeaa5116618d4158dd41dfe47bfea34ecda24fbbd14b06cbf4ffdc0fa
|
File details
Details for the file async_jwt_core-0.2.9-py3-none-any.whl.
File metadata
- Download URL: async_jwt_core-0.2.9-py3-none-any.whl
- Upload date:
- Size: 20.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
91e7913105526b2f997c52b93299b00f5aef79f15c286262ab284fb29792a7fc
|
|
| MD5 |
b2a46d2e508dd0bf827e50ac0e09640f
|
|
| BLAKE2b-256 |
3aaf93cef765dcfcce91245913312c6c3c0693adf001510313c514910148f566
|
