Async JWKS key fetching, caching, and JWT verification

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for statishin from gravatar.com statishin

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Requires: Python >=3.10
  • Provides-Extra: cloudflare
Classifiers
Report project as malware

Project description

auth-jwks

Async JWKS key fetching, caching, and JWT verification built on httpx + PyJWT.

Why

Validating JWT tokens against JWKS endpoints requires:

  • fetching keys from a discovery URL or certs endpoint
  • caching keys with TTL to avoid hitting the endpoint on every request
  • thread-safe refresh under asyncio (double-checked locking)
  • handling key rotation (kid lookup + automatic refresh)

auth-jwks solves this with a single async client that handles discovery, caching, and verification in one call.

Features

  • OpenID Connect discovery (.well-known/openid-configuration)
  • Direct JWKS endpoint access (skip discovery with jwks_uri)
  • Cloudflare Access token validation + Starlette middleware
  • Async-native (httpx), no blocking I/O
  • Auto-caching with configurable TTL (default 15 min)
  • RS256 + ES256 algorithms
  • Bearer prefix auto-stripping
  • Fully typed (py.typed)

Installation

pip install auth-jwks
# With Cloudflare Access support:
pip install auth-jwks[cloudflare]

Usage

OAuth2 / OpenID Connect

Validate ID Tokens or JWT Access Tokens against any OIDC provider (Ory Hydra, Keycloak, Auth0, etc.):

from auth_jwks import JWKS

jwks = JWKS(
    discovery_url="https://your-issuer/.well-known/openid-configuration",
    aud="your-client-id",
)
payload = await jwks.verify_token(token)
await jwks.close()

Token verification with automatic key discovery, caching, and rotation handling diagram

Direct JWKS Endpoint

When you already know the JWKS URI and don't need OpenID Connect discovery (e.g., AWS Cognito, Firebase, or custom providers):

from auth_jwks import JWKS

jwks = JWKS(
    jwks_uri="https://your-provider.example.com/.well-known/jwks.json",
    issuer="https://your-provider.example.com",
    aud="your-client-id",
)
payload = await jwks.verify_token(token)
await jwks.close()

This skips the discovery step and fetches keys directly from the JWKS endpoint. The issuer parameter is optional; when omitted, issuer claim validation is skipped.

Cloudflare Access

Validate Cloudflare Access JWT tokens and extract user identity:

from auth_jwks.cloudflare import CloudFlareTokenValidation

cfa = CloudFlareTokenValidation(aud="your-aud", team="your-team")
user = await cfa.verify_user(token)      # -> User(sub, email, country)
email = await cfa.verify_email(token)    # -> str
identity = await cfa.get_identity(token) # -> Identity (full CF profile)
await cfa.close()

Token validation against Cloudflare's certs endpoint with optional identity enrichment diagram

Starlette / FastAPI Middleware

Protect routes with Cloudflare Access authentication:

from auth_jwks.cloudflare import CfaAuthMiddleware, CloudFlareTokenValidation

cfa = CloudFlareTokenValidation(aud="your-aud", team="your-team")
app.add_middleware(CfaAuthMiddleware, verify_token=cfa.verify_user)
# request.state.user -> User(sub, email, country)

Request authentication flow with dev bypass and automatic token extraction diagram

Configuration

JWKS

Parameter Default Description
discovery_url None OpenID Connect discovery endpoint
jwks_uri None Direct JWKS endpoint URL (skips discovery)
issuer None Expected issuer (required for issuer validation in direct mode)
aud None Expected audience (skip validation if None)
allowed_algorithms {"RS256", "ES256"} Accepted signing algorithms
cache_ttl 900 Key cache lifetime in seconds
leeway 30.0 Clock skew tolerance in seconds
timeout 5.0 HTTP request timeout in seconds
retries 3 HTTP retry count
fix_local_url True Normalize local/Docker URLs (scheme + host replacement)

At least one of discovery_url or jwks_uri must be provided. When both are given, jwks_uri takes precedence.

CloudFlareTokenValidation

Parameter Default Description
aud Cloudflare Access application audience tag
team Cloudflare Access team name
allowed_algorithms {"RS256", "ES256"} Accepted signing algorithms
cache_ttl 900 Key cache lifetime in seconds
leeway 30.0 Clock skew tolerance in seconds

All clients must be closed after use (await client.close()). Token methods raise jwt.InvalidTokenError on validation failure.

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for statishin from gravatar.com statishin

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Requires: Python >=3.10
  • Provides-Extra: cloudflare
Classifiers

Release history Release notifications | RSS feed

0.4.0

This version

0.3.0

0.2.2

0.2.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

auth_jwks-0.3.0.tar.gz (51.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

auth_jwks-0.3.0-py3-none-any.whl (10.8 kB view details)

Uploaded Python 3

File details

Details for the file auth_jwks-0.3.0.tar.gz.

File metadata

  • Download URL: auth_jwks-0.3.0.tar.gz
  • Upload date:
  • Size: 51.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.8

File hashes

Hashes for auth_jwks-0.3.0.tar.gz
Algorithm Hash digest
SHA256 aea462d54b89a2260757519cfbfe81ba8e5569a6ff4da29c70d1a9d4ab2d013f
MD5 fcaf33cd7b44928c64abe33867f9ebc1
BLAKE2b-256 77cbe5b37963f56b3e9d0a9e7046fad874fd5e545bd03abc59bb8198b318b564

See more details on using hashes here.

Provenance

The following attestation bundles were made for auth_jwks-0.3.0.tar.gz:

Publisher: release.yml on centum/auth-jwks

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file auth_jwks-0.3.0-py3-none-any.whl.

File metadata

  • Download URL: auth_jwks-0.3.0-py3-none-any.whl
  • Upload date:
  • Size: 10.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.8

File hashes

Hashes for auth_jwks-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 385a998d39b920dcf7dedfdb4aaa42a4dffb410bdd66ea9f8abc1076489ee52f
MD5 94c327bcca63eabd0d3bc4a4d228cac9
BLAKE2b-256 4e3a4db2d6bfe90b5b2e00292004f452ad056b314eb5c117478161a3f80e1ce3

See more details on using hashes here.

Provenance

The following attestation bundles were made for auth_jwks-0.3.0-py3-none-any.whl:

Publisher: release.yml on centum/auth-jwks

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page