Auth¶
- class atproto_server.auth.jwt.JwtPayload¶
The payload of the JWT.
Based on https://www.rfc-editor.org/rfc/rfc7519#section-4.1
- field aud: str | List[str] | None = None¶
Audience (DID).
- field exp: int | None = None¶
Expiration Time.
- field iat: int | None = None¶
Issued At.
- field iss: str | None = None¶
Issuer (DID).
- field jti: str | None = None¶
JWT ID. Presented in Refresh Token.
- field nbf: int | None = None¶
Not Before. Not used by ATProto.
- field scope: str | None = None¶
Scope. ATProto specific.
- field sub: str | None = None¶
Subject (DID).
- atproto_server.auth.jwt.decode_jwt_payload(payload: str | bytes) JwtPayload ¶
Decode the given JWT payload.
- Parameters:
payload – The JWT payload to decode.
- Returns:
The decoded payload of the given JWT.
- Return type:
- atproto_server.auth.jwt.get_jwt_payload(jwt: str) JwtPayload ¶
Return the payload of the given JWT.
- Parameters:
jwt – The JWT to get the payload from.
- Returns:
The payload of the given JWT.
- Return type:
- atproto_server.auth.jwt.parse_jwt(jwt: str | bytes) Tuple[bytes, bytes, Dict[str, Any], bytes] ¶
Parse the given JWT.
- Parameters:
jwt – The JWT to parse.
- Returns:
The parsed JWT: payload, signing input, header, signature.
- Return type:
tuple
ofbytes
,bytes
,dict
,bytes
- atproto_server.auth.jwt.validate_jwt_payload(payload: JwtPayload, leeway: int = 0) None ¶
Validate the given JWT payload.
- Parameters:
payload – The JWT payload to validate.
leeway – The leeway in seconds to accept when verifying time claims (exp, iat).
- Returns:
The payload is valid.
- Return type:
None
- Raises:
TokenDecodeError – If the given JWT is invalid.
TokenExpiredSignatureError – If the given JWT is expired.
TokenImmatureSignatureError – If the given JWT is immature.
TokenInvalidIssuedAtError – If the given JWT has invalid issued at.
- atproto_server.auth.jwt.verify_jwt(jwt: str, get_signing_key_callback: Callable[[str, bool], str], own_did: str | None = None) JwtPayload ¶
Verify the given JWT.
- Parameters:
jwt – The JWT to verify.
get_signing_key_callback – The callback to get the signing key.
own_did – The DID of the service (aud).
- Returns:
The payload of the given JWT.
- Return type:
- Raises:
TokenDecodeError – If the given JWT is invalid.
TokenExpiredSignatureError – If the given JWT is expired.
TokenImmatureSignatureError – If the given JWT is immature.
TokenInvalidAudienceError – If the given JWT has invalid audience.
TokenInvalidIssuedAtError – If the given JWT has invalid issued at.
TokenInvalidSignatureError – If the given JWT has invalid signature.
- async atproto_server.auth.jwt.verify_jwt_async(jwt: str, get_signing_key_callback: Callable[[str, bool], Coroutine[Any, Any, str]], own_did: str | None = None) JwtPayload ¶
Asynchronously verifies the given JWT.
- Parameters:
jwt – The JWT to verify.
get_signing_key_callback – The callback to get the signing key.
own_did – The DID of the service (aud).
- Returns:
The payload of the given JWT.
- Return type:
- Raises:
TokenDecodeError – If the given JWT is invalid.
TokenExpiredSignatureError – If the given JWT is expired.
TokenImmatureSignatureError – If the given JWT is immature.
TokenInvalidAudienceError – If the given JWT has invalid audience.
TokenInvalidIssuedAtError – If the given JWT has invalid issued at.
TokenInvalidSignatureError – If the given JWT has invalid signature.