Auth¶

class atproto_server.auth.jwt.JwtPayload¶

The payload of the JWT.

Based on https://www.rfc-editor.org/rfc/rfc7519#section-4.1

field aud: str | List[str] | None = None¶: Audience (DID).

field exp: int | None = None¶: Expiration Time.

field iat: int | None = None¶: Issued At.

field iss: str | None = None¶: Issuer (DID).

field jti: str | None = None¶: JWT ID. Presented in Refresh Token.

field nbf: int | None = None¶: Not Before. Not used by ATProto.

field scope: str | None = None¶: Scope. ATProto specific.

field sub: str | None = None¶: Subject (DID).

atproto_server.auth.jwt.decode_jwt_payload(payload: str | bytes) → JwtPayload¶

Decode the given JWT payload.

Parameters:: payload – The JWT payload to decode.
Returns:: The decoded payload of the given JWT.
Return type:: JwtPayload

atproto_server.auth.jwt.get_jwt_payload(jwt: str) → JwtPayload¶

Return the payload of the given JWT.

Parameters:: jwt – The JWT to get the payload from.
Returns:: The payload of the given JWT.
Return type:: JwtPayload

atproto_server.auth.jwt.parse_jwt(jwt: str | bytes) → Tuple[bytes, bytes, Dict[str, Any], bytes]¶

Parse the given JWT.

Parameters:: jwt – The JWT to parse.
Returns:: The parsed JWT: payload, signing input, header, signature.
Return type:: tuple of bytes, bytes, dict, bytes

atproto_server.auth.jwt.validate_jwt_payload(payload: JwtPayload, leeway: int = 0) → None¶

Validate the given JWT payload.

Parameters:

payload – The JWT payload to validate.
leeway – The leeway in seconds to accept when verifying time claims (exp, iat).

Returns:

The payload is valid.

Return type:

None

Raises:

TokenDecodeError – If the given JWT is invalid.
TokenExpiredSignatureError – If the given JWT is expired.
TokenImmatureSignatureError – If the given JWT is immature.
TokenInvalidIssuedAtError – If the given JWT has invalid issued at.

atproto_server.auth.jwt.verify_jwt(jwt: str, get_signing_key_callback: Callable[[str, bool], str], own_did: str | None = None) → JwtPayload¶

Verify the given JWT.

Parameters:

jwt – The JWT to verify.
get_signing_key_callback – The callback to get the signing key.
own_did – The DID of the service (aud).

Returns:

The payload of the given JWT.

Return type:

JwtPayload

Raises:

TokenDecodeError – If the given JWT is invalid.
TokenExpiredSignatureError – If the given JWT is expired.
TokenImmatureSignatureError – If the given JWT is immature.
TokenInvalidAudienceError – If the given JWT has invalid audience.
TokenInvalidIssuedAtError – If the given JWT has invalid issued at.
TokenInvalidSignatureError – If the given JWT has invalid signature.

async atproto_server.auth.jwt.verify_jwt_async(jwt: str, get_signing_key_callback: Callable[[str, bool], Coroutine[Any, Any, str]], own_did: str | None = None) → JwtPayload¶

Asynchronously verifies the given JWT.

Parameters:

jwt – The JWT to verify.
get_signing_key_callback – The callback to get the signing key.
own_did – The DID of the service (aud).

Returns:

The payload of the given JWT.

Return type:

JwtPayload

Raises:

TokenDecodeError – If the given JWT is invalid.
TokenExpiredSignatureError – If the given JWT is expired.
TokenImmatureSignatureError – If the given JWT is immature.
TokenInvalidAudienceError – If the given JWT has invalid audience.
TokenInvalidIssuedAtError – If the given JWT has invalid issued at.
TokenInvalidSignatureError – If the given JWT has invalid signature.