A utility for verifying JWTs issued by AWS Cognito.
Project description
cognito-jwt-verifier
A utility for verifying JWTs issued by AWS Cognito.
✨ Features
- Async & non‑blocking verification using
aiohttp. - Automatic JWKS caching & key rollover.
- Validates both ID and access tokens out‑of‑the‑box.
- Zero heavy dependencies (only
aiohttp,PyJWT,cryptography).
📦 Installation
pip install cognito-jwt-verifier
🚀 Quick Start
import asyncio
from cognito_jwt_verifier import AsyncCognitoJwtVerifier
async def main():
verifier = AsyncCognitoJwtVerifier(
issuer="https://cognito-idp.us-east-2.amazonaws.com/<USER_POOL_ID>",
client_ids=["<APP_CLIENT_ID>"],
)
await verifier.init_keys() # optional warm‑up
claims = await verifier.verify_id_token("<ID_TOKEN>")
print(claims)
asyncio.run(main())
🛡️ FastAPI example
from contextlib import asynccontextmanager
from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import OAuth2AuthorizationCodeBearer
from jwt import PyJWTError
from cognito_jwt_verifier import AsyncCognitoJwtVerifier
ISSUER = "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_ae7uogn5r"
CLIENT_IDS = ["4pvqqexampleclientid"]
verifier = AsyncCognitoJwtVerifier(ISSUER, client_ids=CLIENT_IDS)
oauth2_scheme = OAuth2AuthorizationCodeBearer(
authorizationUrl=f"{ISSUER}/oauth2/authorize",
tokenUrl=f"{ISSUER}/oauth2/token",
)
@asynccontextmanager
async def lifespan(app: FastAPI):
await verifier.init_keys()
try:
yield
finally:
await verifier.close()
app = FastAPI(lifespan=lifespan)
async def get_current_user(token: str = Depends(oauth2_scheme)):
try:
return await verifier.verify_access_token(token)
except Exception as exc:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=str(exc),
headers={"WWW-Authenticate": "Bearer"},
)
@app.get("/user")
async def read_user(user: dict = Depends(get_current_user)):
return {"user": user}
📚 API at a glance
| Method | Description |
|---|---|
init_keys() |
Prefetch JWKS (optional). |
verify_id_token(token: str) |
Validate an ID token & return claims. |
verify_access_token(token: str) |
Validate an access token & return claims. |
close() |
Close the internal aiohttp session. |
If Cognito rotates its keys, the verifier fetches the new JWKS automatically.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cognito_jwt_verifier-0.0.3.tar.gz.
File metadata
- Download URL: cognito_jwt_verifier-0.0.3.tar.gz
- Upload date:
- Size: 6.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3b69c9cc5011c1c9ce43e42da5c11bdc8cd27b10b2d610acc0953d15af4c6420
|
|
| MD5 |
a825a25d5d253c0827573acc90bdfd11
|
|
| BLAKE2b-256 |
645a68b7e443ba21ea2ac6450e23aff416801466e0fc998f4ebc01fae534fdc7
|
File details
Details for the file cognito_jwt_verifier-0.0.3-py3-none-any.whl.
File metadata
- Download URL: cognito_jwt_verifier-0.0.3-py3-none-any.whl
- Upload date:
- Size: 4.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
25e9c4917977ca0ca9ff63126bdb7f7ec6a4b54377ab0a313ffbddcc218e21dc
|
|
| MD5 |
5d5d1f4c8054c35be078634f4c7fad88
|
|
| BLAKE2b-256 |
49a50e2c00b31b6246539460dd439152c5e95d5e3c42f228c8e5c37d199e1163
|
