Async JWKS key fetching, caching, and JWT verification

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for statishin from gravatar.com statishin

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Requires: Python >=3.10
  • Provides-Extra: cloudflare
Classifiers
Report project as malware

Project description

auth-jwks

Async JWKS key fetching, caching, and JWT verification built on httpx + PyJWT.

Why

Validating JWT tokens against JWKS endpoints requires:

  • fetching keys from a discovery URL or certs endpoint
  • caching keys with TTL to avoid hitting the endpoint on every request
  • thread-safe refresh under asyncio (double-checked locking)
  • handling key rotation (kid lookup + automatic refresh)

auth-jwks solves this with a single async client that handles discovery, caching, and verification in one call.

Features

  • OpenID Connect discovery (.well-known/openid-configuration)
  • Cloudflare Access token validation + Starlette middleware
  • Async-native (httpx), no blocking I/O
  • Auto-caching with configurable TTL (default 15 min)
  • RS256 + ES256 algorithms
  • Bearer prefix auto-stripping
  • Fully typed (py.typed)

Installation

pip install auth-jwks
# With Cloudflare Access support:
pip install auth-jwks[cloudflare]

Usage

OAuth2 / OpenID Connect

Validate ID Tokens or JWT Access Tokens against any OIDC provider (Ory Hydra, Keycloak, Auth0, etc.):

from auth_jwks import JWKS

jwks = JWKS(
    discovery_url="https://your-issuer/.well-known/openid-configuration",
    aud="your-client-id",
)
payload = await jwks.verify_token(token)
await jwks.close()

Token verification with automatic key discovery, caching, and rotation handling diagram

Cloudflare Access

Validate Cloudflare Access JWT tokens and extract user identity:

from auth_jwks.cloudflare import CloudFlareTokenValidation

cfa = CloudFlareTokenValidation(aud="your-aud", team="your-team")
user = await cfa.verify_user(token)      # -> User(sub, email, country)
email = await cfa.verify_email(token)    # -> str
identity = await cfa.get_identity(token) # -> Identity (full CF profile)
await cfa.close()

Token validation against Cloudflare's certs endpoint with optional identity enrichment diagram

Starlette / FastAPI Middleware

Protect routes with Cloudflare Access authentication:

from auth_jwks.cloudflare import CfaAuthMiddleware, CloudFlareTokenValidation

cfa = CloudFlareTokenValidation(aud="your-aud", team="your-team")
app.add_middleware(CfaAuthMiddleware, verify_token=cfa.verify_user)
# request.state.user -> User(sub, email, country)

Request authentication flow with dev bypass and automatic token extraction diagram

Configuration

JWKS

Parameter Default Description
discovery_url OpenID Connect discovery endpoint
aud None Expected audience (skip validation if None)
allowed_algorithms {"RS256", "ES256"} Accepted signing algorithms
cache_ttl 900 Key cache lifetime in seconds
leeway 30.0 Clock skew tolerance in seconds
timeout 5.0 HTTP request timeout in seconds
retries 3 HTTP retry count

CloudFlareTokenValidation

Parameter Default Description
aud Cloudflare Access application audience tag
team Cloudflare Access team name
allowed_algorithms {"RS256", "ES256"} Accepted signing algorithms
cache_ttl 900 Key cache lifetime in seconds
leeway 30.0 Clock skew tolerance in seconds

All clients must be closed after use (await client.close()). Token methods raise jwt.InvalidTokenError on validation failure.

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for statishin from gravatar.com statishin

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Requires: Python >=3.10
  • Provides-Extra: cloudflare
Classifiers

Release history Release notifications | RSS feed

0.4.0

0.3.0

This version

0.2.2

0.2.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

auth_jwks-0.2.2.tar.gz (49.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

auth_jwks-0.2.2-py3-none-any.whl (9.9 kB view details)

Uploaded Python 3

File details

Details for the file auth_jwks-0.2.2.tar.gz.

File metadata

  • Download URL: auth_jwks-0.2.2.tar.gz
  • Upload date:
  • Size: 49.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.8

File hashes

Hashes for auth_jwks-0.2.2.tar.gz
Algorithm Hash digest
SHA256 303830e7e9ecb7c1af13626e4b182ff91653767bda61436b4cc6e3a585aa6764
MD5 9c7ca2705bcf26cba566b0a1ef774c66
BLAKE2b-256 f6593302526eb3b61b332d87602025c54b442066032b0bdcdaa1b909595f17b4

See more details on using hashes here.

Provenance

The following attestation bundles were made for auth_jwks-0.2.2.tar.gz:

Publisher: release.yml on centum/auth-jwks

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file auth_jwks-0.2.2-py3-none-any.whl.

File metadata

  • Download URL: auth_jwks-0.2.2-py3-none-any.whl
  • Upload date:
  • Size: 9.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.8

File hashes

Hashes for auth_jwks-0.2.2-py3-none-any.whl
Algorithm Hash digest
SHA256 62ff8bcbbeffdd63f93c2ba981c9b50d760af32706b78c9835b8f242a3a20ac5
MD5 61871ce973fab56dbd59f1fb325cd955
BLAKE2b-256 aba8e7dd7276c68755d8a57567aa2fb16fcfaf4035eef12f6a2da88ab5f67e8a

See more details on using hashes here.

Provenance

The following attestation bundles were made for auth_jwks-0.2.2-py3-none-any.whl:

Publisher: release.yml on centum/auth-jwks

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page