JWT API

This part of the documentation covers all the interfaces of joserfc.jwt.

class joserfc.jwt.ClaimsOption
class joserfc.jwt.JWTClaimsRegistry(now: int | None = None, leeway: int = 0, **kwargs: ClaimsOption)
validate_aud(value: str | list[str]) None

The “aud” (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the “aud” claim when this claim is present, then the JWT MUST be rejected. In the general case, the “aud” value is an array of case-sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the “aud” value MAY be a single case-sensitive string containing a StringOrURI value. The interpretation of audience values is generally application specific. Use of this claim is OPTIONAL.

validate_exp(value: int) None

The “exp” (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the “exp” claim requires that the current date/time MUST be before the expiration date/time listed in the “exp” claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.

validate_iat(value: int) None

The “iat” (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.

validate_nbf(value: int) None

The “nbf” (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. The processing of the “nbf” claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the “nbf” claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL.

class joserfc.jwt.Token(header: Dict[str, Any], claims: Dict[str, Any])

The extracted token object, which contains header and claims.

Parameters:

  • header – the header part of the JWT

  • claims – the payload part of the JWT

claims

payload claims in dict

header

header in dict

joserfc.jwt.check_sensitive_data(claims: Dict[str, Any]) None

Check if claims contains sensitive information.

joserfc.jwt.decode(value: bytes | str, key: str | bytes | OctKey | RSAKey | ECKey | OKPKey | KeySet | Callable[[GuestProtocol], str | bytes | OctKey | RSAKey | ECKey | OKPKey | KeySet], algorithms: list[str] | None = None, registry: JWSRegistry | JWERegistry | None = None) Token

Decode the JSON Web Token string with the given key, and validate it with the claims requests.

Parameters:

  • value – text of the JWT

  • key – key used to verify the signature

  • algorithms – a list of allowed algorithms

  • registry – a JWSRegistry or JWERegistry to use

Raise:

BadSignatureError

joserfc.jwt.encode(header: Dict[str, Any], claims: Dict[str, Any], key: str | bytes | OctKey | RSAKey | ECKey | OKPKey | KeySet | Callable[[GuestProtocol], str | bytes | OctKey | RSAKey | ECKey | OKPKey | KeySet], algorithms: list[str] | None = None, registry: JWSRegistry | JWERegistry | None = None) str

Encode a JSON Web Token with the given header, and claims.

Parameters:

  • header – A dict of the JWT header

  • claims – A dict of the JWT claims to be encoded

  • key – key used to sign the signature

  • algorithms – a list of allowed algorithms

  • registry – a JWSRegistry or JWERegistry to use