tessl/pypi-pyjwt
JSON Web Token implementation in Python with support for JWT, JWS, JWK, and JWKS
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-pyjwt@2.10.0index.mddocs/
PyJWT
A comprehensive Python library for JSON Web Token (JWT) implementation providing secure token-based authentication and authorization. PyJWT supports complete RFC 7519 standard with encoding, decoding, and validation using various cryptographic algorithms including HMAC, RSA, ECDSA, and EdDSA signatures.
Package Information
- Package Name: PyJWT
- Language: Python
- Installation:
pip install PyJWT(basic HMAC) orpip install PyJWT[crypto](full cryptographic support)
Core Imports
import jwtCommon usage imports:
from jwt import encode, decode, PyJWT
from jwt.exceptions import InvalidTokenError, ExpiredSignatureErrorBasic Usage
import jwt
from datetime import datetime, timedelta, timezone
# Encode a JWT
payload = {
'user_id': 123,
'exp': datetime.now(tz=timezone.utc) + timedelta(hours=1)
}
token = jwt.encode(payload, 'your-secret-key', algorithm='HS256')
# Decode and verify a JWT
try:
decoded = jwt.decode(token, 'your-secret-key', algorithms=['HS256'])
print(f"User ID: {decoded['user_id']}")
except jwt.ExpiredSignatureError:
print("Token has expired")
except jwt.InvalidTokenError:
print("Invalid token")Architecture
PyJWT provides a layered architecture for JWT operations:
- JWT Layer: High-level JWT encoding/decoding with claim validation (PyJWT class)
- JWS Layer: Lower-level JSON Web Signature operations (PyJWS class)
- JWK Layer: JSON Web Key handling and cryptographic key abstraction (PyJWK, PyJWKSet)
- JWKS Client: HTTP client for fetching and caching remote key sets (PyJWKClient)
- Algorithm Support: Pluggable cryptographic algorithm system with HMAC, RSA, ECDSA, EdDSA
This design enables secure token operations across web frameworks, API services, and microservices with comprehensive claim validation, flexible key management, and extensive algorithm support.
Capabilities
JWT Operations
Core JWT encoding and decoding functionality with automatic claim validation, expiration checking, and signature verification. Supports standard claims (exp, nbf, iat, aud, iss, sub) and custom payloads.
def encode(payload: dict, key: str | bytes, algorithm: str = 'HS256',
headers: dict = None, json_encoder = None) -> str: ...
def decode(jwt: str | bytes, key: str | bytes = '', algorithms: list = None,
options: dict = None, audience: str = None, issuer: str = None,
leeway: float = 0) -> dict: ...
class PyJWT:
def __init__(self, options: dict = None): ...
def encode(self, payload: dict, key, algorithm: str = None,
headers: dict = None) -> str: ...
def decode(self, jwt: str | bytes, key = '', algorithms: list = None,
options: dict = None) -> dict: ...JWS Operations
Lower-level JSON Web Signature operations for signing and verifying arbitrary payloads. Provides direct access to the signature layer without JWT-specific claim validation.
class PyJWS:
def __init__(self, algorithms: list = None, options: dict = None): ...
def encode(self, payload: bytes, key, algorithm: str = None,
headers: dict = None) -> str: ...
def decode(self, jws: str | bytes, key = '', algorithms: list = None,
options: dict = None) -> bytes: ...
def get_unverified_header(self, jwt: str | bytes) -> dict: ...JSON Web Keys (JWK)
JSON Web Key handling and cryptographic key abstraction supporting RSA, ECDSA, EdDSA, and symmetric keys. Provides key parsing, validation, and algorithm detection.
class PyJWK:
def __init__(self, jwk_data: dict, algorithm: str = None): ...
@staticmethod
def from_dict(obj: dict, algorithm: str = None) -> 'PyJWK': ...
@staticmethod
def from_json(data: str, algorithm: str = None) -> 'PyJWK': ...
@property
def key_type(self) -> str: ...
@property
def key_id(self) -> str: ...
class PyJWKSet:
def __init__(self, keys: list): ...
@staticmethod
def from_dict(obj: dict) -> 'PyJWKSet': ...
@staticmethod
def from_json(data: str) -> 'PyJWKSet': ...
def __getitem__(self, kid: str) -> PyJWK: ...JWKS Client
HTTP client for fetching and caching JSON Web Key Sets from remote endpoints. Supports automatic key refresh, caching strategies, and integration with JWT verification.
class PyJWKClient:
def __init__(self, uri: str, cache_keys: bool = False,
max_cached_keys: int = 16, cache_jwk_set: bool = True,
lifespan: int = 300, headers: dict = None,
timeout: int = 30): ...
def get_signing_key(self, kid: str) -> PyJWK: ...
def get_signing_key_from_jwt(self, token: str) -> PyJWK: ...
def get_jwk_set(self, refresh: bool = False) -> PyJWKSet: ...Algorithm Management
Cryptographic algorithm registration and management system supporting custom algorithms and algorithm whitelisting for security.
def register_algorithm(alg_id: str, alg_obj) -> None: ...
def unregister_algorithm(alg_id: str) -> None: ...
def get_algorithm_by_name(alg_name: str): ...
def get_unverified_header(jwt: str | bytes) -> dict: ...Exception Types
class PyJWTError(Exception):
"""Base class for all PyJWT exceptions"""
class InvalidTokenError(PyJWTError):
"""Invalid token format or structure"""
class DecodeError(InvalidTokenError):
"""Token parsing or decoding errors"""
class InvalidSignatureError(DecodeError):
"""Signature verification failed"""
class ExpiredSignatureError(InvalidTokenError):
"""Token has expired (exp claim)"""
class ImmatureSignatureError(InvalidTokenError):
"""Token not yet valid (nbf/iat claims)"""
class InvalidAudienceError(InvalidTokenError):
"""Audience claim validation failed"""
class InvalidIssuerError(InvalidTokenError):
"""Issuer claim validation failed"""
class MissingRequiredClaimError(InvalidTokenError):
"""Required claim missing from token"""
class InvalidSubjectError(InvalidTokenError):
"""Subject claim validation failed"""
class InvalidJTIError(InvalidTokenError):
"""JWT ID claim validation failed"""
class PyJWKError(PyJWTError):
"""JSON Web Key related errors"""
class MissingCryptographyError(PyJWKError):
"""Cryptography library required for asymmetric algorithms"""
class PyJWKClientError(PyJWTError):
"""JWKS client errors"""