Protected Compact JWS Helper

A command-line helper that signs and verifies payloads using compact JWS, enforcing protected algorithm headers and key-type-aware verification.

Capabilities

Compact signing enforces protected alg

• Signing a payload in compact form produces a token whose protected header contains the algorithm value even when callers supply it only as an unprotected field; the encoded header decodes to include "alg" with the requested algorithm. @test

Key-type-driven verification

• Verifying a compact token with an explicit key type loads the correct key representation for that type (e.g., RSA vs symmetric) and rejects verification when the provided key type does not match the token. @test

End-to-end compact roundtrip

• Signing a payload in compact mode with algorithm protection and then verifying it with the matching key type returns the original payload bytes. @test

Implementation

@generates

API

def build_compact_token(
    payload: bytes,
    key_path: str,
    algorithm: str,
    unprotected_headers: dict | None = None,
) -> bytes:
    """Create a compact JWS for the payload using the given key file and algorithm, ensuring the algorithm is protected."""


def verify_compact_token(
    token: bytes,
    key_path: str | None = None,
    key_type: str | None = None,
) -> bytes:
    """Verify a compact JWS token using the provided key file and key type hint, returning the payload bytes on success."""

Dependencies { .dependencies }

josepy { .dependency }

Provides CLI tooling and helpers for creating and verifying JOSE signatures with protected headers and key-type selection.