Async JWKS key fetching, caching, and JWT verification

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for statishin from gravatar.com statishin

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Requires: Python >=3.10
  • Provides-Extra: cloudflare
Classifiers
Report project as malware

Project description

auth-jwks

Async JWKS key fetching, caching, and JWT verification built on httpx + PyJWT.

Why

Validating JWT tokens against JWKS endpoints requires:

  • fetching keys from a discovery URL or certs endpoint
  • caching keys with TTL to avoid hitting the endpoint on every request
  • thread-safe refresh under asyncio (double-checked locking)
  • handling key rotation (kid lookup + automatic refresh)

auth-jwks solves this with a single async client that handles discovery, caching, and verification in one call.

Features

  • OpenID Connect discovery (.well-known/openid-configuration)
  • Cloudflare Access token validation + Starlette middleware
  • Async-native (httpx), no blocking I/O
  • Auto-caching with configurable TTL (default 15 min)
  • RS256 + ES256 algorithms
  • Bearer prefix auto-stripping
  • Fully typed (py.typed)

Installation

pip install auth-jwks
# With Cloudflare Access support:
pip install auth-jwks[cloudflare]

Usage

OAuth2 / OpenID Connect

Validate ID Tokens or JWT Access Tokens against any OIDC provider (Ory Hydra, Keycloak, Auth0, etc.):

from auth_jwks import JWKS

jwks = JWKS(
    discovery_url="https://your-issuer/.well-known/openid-configuration",
    aud="your-client-id",
)
payload = await jwks.verify_token(token)
await jwks.close()

Cloudflare Access

Validate Cloudflare Access JWT tokens and extract user identity:

from auth_jwks.cloudflare import CloudFlareTokenValidation

cfa = CloudFlareTokenValidation(aud="your-aud", team="your-team")
user = await cfa.verify_user(token)      # -> User(sub, email, country)
email = await cfa.verify_email(token)    # -> str
identity = await cfa.get_identity(token) # -> Identity (full CF profile)
await cfa.close()

Starlette / FastAPI Middleware

Protect routes with Cloudflare Access authentication:

from auth_jwks.cloudflare import CfaAuthMiddleware, CloudFlareTokenValidation

cfa = CloudFlareTokenValidation(aud="your-aud", team="your-team")
app.add_middleware(CfaAuthMiddleware, verify_token=cfa.verify_user)
# request.state.user -> User(sub, email, country)

Configuration

JWKS

Parameter Default Description
discovery_url OpenID Connect discovery endpoint
aud None Expected audience (skip validation if None)
allowed_algorithms {"RS256", "ES256"} Accepted signing algorithms
cache_ttl 900 Key cache lifetime in seconds
leeway 30.0 Clock skew tolerance in seconds
timeout 5.0 HTTP request timeout in seconds
retries 3 HTTP retry count

CloudFlareTokenValidation

Parameter Default Description
aud Cloudflare Access application audience tag
team Cloudflare Access team name
allowed_algorithms {"RS256", "ES256"} Accepted signing algorithms
cache_ttl 900 Key cache lifetime in seconds
leeway 30.0 Clock skew tolerance in seconds

All clients must be closed after use (await client.close()). Token methods raise jwt.InvalidTokenError on validation failure.

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for statishin from gravatar.com statishin

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Requires: Python >=3.10
  • Provides-Extra: cloudflare
Classifiers

Release history Release notifications | RSS feed

0.4.0

0.3.0

0.2.2

0.2.1

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

auth_jwks-0.1.0.tar.gz (47.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

auth_jwks-0.1.0-py3-none-any.whl (9.4 kB view details)

Uploaded Python 3

File details

Details for the file auth_jwks-0.1.0.tar.gz.

File metadata

  • Download URL: auth_jwks-0.1.0.tar.gz
  • Upload date:
  • Size: 47.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.8

File hashes

Hashes for auth_jwks-0.1.0.tar.gz
Algorithm Hash digest
SHA256 47cc461c3e0d4846974f6412cb039490be10f965816a168318c71e70000762c3
MD5 f4367afc75df22fd3fc55fe3893287d0
BLAKE2b-256 0673bf18d47e97d4e27ad34f48f757763820d9f691652447201f5a8c0f3e3f37

See more details on using hashes here.

Provenance

The following attestation bundles were made for auth_jwks-0.1.0.tar.gz:

Publisher: release.yml on centum/auth-jwks

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file auth_jwks-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: auth_jwks-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 9.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.8

File hashes

Hashes for auth_jwks-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 01309066b242de123eb8c529f641ee3f465f61e77910e9a8fc76e21334943864
MD5 cfb2003e8aa231d158e11314c8761a44
BLAKE2b-256 0ba2feebbb6094e7cbef71f52e6301fca7a98c13d7915aad9138aa38e88afa13

See more details on using hashes here.

Provenance

The following attestation bundles were made for auth_jwks-0.1.0-py3-none-any.whl:

Publisher: release.yml on centum/auth-jwks

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page