{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"jwtlib","text":""},{"location":"#jwtlib","title":"jwtlib","text":"

jwtlib: A framework-agnostic JWT authentication library.

"},{"location":"#jwtlib--summary","title":"Summary","text":"

jwtlib provides a set of pure logic components for handling JWT discovery, user registration, login, and token introspection. It is designed to be decoupled from any specific web framework (like FastAPI or Flask).

"},{"location":"#jwtlib--installation","title":"Installation","text":"

Install using pip:

pip install py-jwt\n
"},{"location":"#jwtlib--quick-start","title":"Quick Start","text":"
import asyncio\nfrom jwtlib import login_user, LoginRequest\n\nasync def main():\n    request = LoginRequest(username=\"admin\", password=\"password\")\n    response = await login_user(request)\n    print(f\"Access Token: {response.access_token}\")\n
"},{"location":"#jwtlib--public-api","title":"Public API","text":"

This package re-exports the core authentication primitives. Consumers are encouraged to import from this namespace for high-level operations.

Authentication: - register_user - login_user - logout_user - get_logged_in_user

Introspection: - introspect_token - authenticate_request (logic-only)

Models: - RegisterRequest / LoginRequest / LoginResponse / LogoutResponse - PublicUser - IntrospectRequest / IntrospectResponse - TokenPayload

Exceptions: - AuthError - InvalidToken - UserNotFound

"},{"location":"#jwtlib-classes","title":"Classes","text":""},{"location":"#jwtlib.AuthError","title":"AuthError","text":"

Bases: Exception

Base authentication and authorization error.

Notes

Guarantees:

- All authentication-related exceptions raised by this library inherit from this class\n- Consumers may catch this exception to handle all auth failures uniformly\n
"},{"location":"#jwtlib.IntrospectRequest","title":"IntrospectRequest","text":"

Bases: BaseModel

Payload for requesting token introspection.

Attributes:

Name Type Description token str

JWT access token to introspect.

"},{"location":"#jwtlib.IntrospectResponse","title":"IntrospectResponse","text":"

Bases: BaseModel

Result of a token introspection operation.

Attributes:

Name Type Description active bool

Indicates whether the token is valid and active.

user Optional[PublicUser]

Public user details if the token is valid; otherwise null.

"},{"location":"#jwtlib.InvalidToken","title":"InvalidToken","text":"

Bases: AuthError

Raised when a JWT is missing, malformed, expired, or invalid.

Notes

Guarantees:

- This error indicates that the provided token cannot be used to authenticate a request\n
"},{"location":"#jwtlib.LoginRequest","title":"LoginRequest","text":"

Bases: IdentityMixin, PasswordMixin

Payload for authenticating a user and issuing a JWT.

Attributes:

Name Type Description username str

Username identifier.

password str

Plain-text password to be verified.

"},{"location":"#jwtlib.LoginResponse","title":"LoginResponse","text":"

Bases: BaseModel

Response returned after successful authentication.

Attributes:

Name Type Description access_token str

JWT access token for authenticated requests.

user PublicUser

Public profile of the authenticated user.

"},{"location":"#jwtlib.LogoutResponse","title":"LogoutResponse","text":"

Bases: BaseModel

Response returned after a logout operation.

Attributes:

Name Type Description message str

Human-readable logout confirmation.

"},{"location":"#jwtlib.PublicUser","title":"PublicUser","text":"

Bases: IdentityMixin, ActiveStateMixin

Public-facing user representation returned by authentication APIs.

Attributes:

Name Type Description username str

Unique username identifier.

email EmailStr

User's email address.

is_active bool

Whether the user account is active.

"},{"location":"#jwtlib.RegisterRequest","title":"RegisterRequest","text":"

Bases: IdentityMixin, PasswordMixin

Payload for registering a new user account.

Attributes:

Name Type Description username str

Unique username identifier.

email EmailStr

User's email address.

password str

Plain-text password (to be hashed by the repository layer).

"},{"location":"#jwtlib.TokenPayload","title":"TokenPayload","text":"

Bases: BaseModel

Decoded JWT payload.

Attributes:

Name Type Description sub str

Subject claim identifying the user (typically a username or user ID).

exp int

Expiration time as a Unix timestamp (seconds since epoch).

Notes

Responsibilities:

- Represents the validated claims extracted from a JWT after signature verification. This model is used internally to enforce required claims and provide a typed interface to token data.\n

Guarantees:

- This model assumes the JWT signature has already been verified. No authorization decisions should be made solely on this model. Additional claims may exist but are intentionally ignored.\n
"},{"location":"#jwtlib.User","title":"User","text":"

Bases: BaseDocument, IdentityMixin, ActiveStateMixin

Internal user persistence model.

Attributes:

Name Type Description hashed_password str

Secure hash of the user's password.

Notes

Responsibilities:

- Represents a user record as stored in the database. Includes sensitive fields and is strictly confined to the persistence layer.\n

Guarantees:

- This model MUST NOT be returned from authentication APIs. Consumers should use `PublicUser` instead. Password verification is handled by the repository layer.\n
"},{"location":"#jwtlib.UserNotFound","title":"UserNotFound","text":"

Bases: AuthError

Raised when a valid token does not map to an existing user.

Notes

Guarantees:

- Indicates that authentication succeeded at the token level, but the associated user record could not be resolved\n
"},{"location":"#jwtlib-functions","title":"Functions","text":""},{"location":"#jwtlib.authenticate_request","title":"authenticate_request async","text":"
authenticate_request(should_skip_authentication: Callable[[str, str], bool], *, method: str, path: str, authorization_token: Optional[str]) -> Optional[PublicUser]\n

Authenticate an incoming request using token introspection.

Parameters:

Name Type Description Default should_skip_authentication Callable[[str, str], bool]

Callable that decides whether authentication is required for a given HTTP method and path.

required method str

HTTP method of the incoming request.

required path str

Request path.

required authorization_token str | None

JWT access token provided by the caller.

required

Returns:

Type Description Optional[PublicUser]

PublicUser | None: PublicUser if authentication succeeds; None if authentication is skipped.

Raises:

Type Description InvalidToken

If authentication is required but the token is missing, invalid, or revoked.

AuthServiceUnavailable

If the auth service cannot be reached.

Notes

Responsibilities:

- Determines whether authentication should be skipped for the given request context and, if not, resolves the authenticated user via token introspection\n

Guarantees:

- This function does not parse Authorization headers; callers must supply the raw token. Access-control policy is externalized via `should_skip_authentication`.\n
"},{"location":"#jwtlib.get_logged_in_user","title":"get_logged_in_user async","text":"
get_logged_in_user(token: str, repo: Optional[UserRepository] = None) -> PublicUser\n

Resolve the currently authenticated user from a JWT.

Parameters:

Name Type Description Default token str

JWT access token.

required repo UserRepository

Optional user repository instance. If not provided, a default repository is obtained via dependency utilities.

None

Returns:

Name Type Description PublicUser PublicUser

The authenticated user as a PublicUser.

Raises:

Type Description InvalidToken

If the token is missing, malformed, or invalid.

AuthError

If the token is valid, but the user cannot be resolved.

"},{"location":"#jwtlib.introspect_token","title":"introspect_token async","text":"
introspect_token(token: str, repo: Optional[UserRepository] = None) -> IntrospectResponse\n

Introspect a JWT for service-to-service authentication.

Parameters:

Name Type Description Default token str

JWT access token to introspect.

required repo UserRepository

Optional user repository instance. If not provided, a default repository is obtained via dependency utilities.

None

Returns:

Name Type Description IntrospectResponse IntrospectResponse

IntrospectResponse indicating valid token with user, invalid token, or valid token with no user.

Notes

Responsibilities:

- Validates the provided token and resolves the associated user, returning a structured introspection response suitable for internal service use\n

Guarantees:

- This function never raises authentication exceptions. Instead, it returns a typed response indicating token validity and user presence.\n
"},{"location":"#jwtlib.login_user","title":"login_user async","text":"
login_user(user: LoginRequest, repo: Optional[UserRepository] = None) -> LoginResponse\n

Authenticate a user and issue an access token.

Parameters:

Name Type Description Default user LoginRequest

Login payload containing username and password.

required repo UserRepository

Optional user repository instance. If not provided, a default repository is obtained via dependency utilities.

None

Returns:

Name Type Description LoginResponse LoginResponse

LoginResponse containing the issued access token and related metadata.

Raises:

Type Description AuthError

If the credentials are invalid.

"},{"location":"#jwtlib.logout_user","title":"logout_user async","text":"
logout_user() -> LogoutResponse\n

Perform a stateless logout.

Returns:

Name Type Description LogoutResponse LogoutResponse

LogoutResponse containing a logout confirmation message.

Notes

Guarantees:

- This function does not invalidate tokens server-side. Instead, it provides a standardized response indicating that the client must discard its token.\n
"},{"location":"#jwtlib.register_user","title":"register_user async","text":"
register_user(user: RegisterRequest, repo: Optional[UserRepository] = None) -> PublicUser\n

Register a new user.

Parameters:

Name Type Description Default user RegisterRequest

Registration payload containing username, email, and password.

required repo UserRepository

Optional user repository instance. If not provided, a default repository is obtained via dependency utilities.

None

Returns:

Name Type Description PublicUser PublicUser

The newly created user as a public user representation.

"},{"location":"app/","title":"App","text":""},{"location":"app/#jwtlib.app","title":"jwtlib.app","text":"

Application-level authentication logic.

"},{"location":"app/#jwtlib.app--summary","title":"Summary","text":"

This module contains pure authentication and introspection logic with no framework or transport coupling. It is intended to be used by HTTP adapters, CLIs, background workers, and other services that require JWT-based authentication and user resolution.

Notes

Responsibilities:

- User registration and login\n- Stateless logout semantics\n- Current-user resolution from JWTs\n- Service-to-service token introspection\n

Constraints:

- This module intentionally does NOT: Define HTTP routes, manage sessions, perform request parsing or response formatting, or handle transport-level concerns.\n
"},{"location":"app/#jwtlib.app-classes","title":"Classes","text":""},{"location":"app/#jwtlib.app-functions","title":"Functions","text":""},{"location":"app/#jwtlib.app.get_logged_in_user","title":"get_logged_in_user async","text":"
get_logged_in_user(token: str, repo: Optional[UserRepository] = None) -> PublicUser\n

Resolve the currently authenticated user from a JWT.

Parameters:

Name Type Description Default token str

JWT access token.

required repo UserRepository

Optional user repository instance. If not provided, a default repository is obtained via dependency utilities.

None

Returns:

Name Type Description PublicUser PublicUser

The authenticated user as a PublicUser.

Raises:

Type Description InvalidToken

If the token is missing, malformed, or invalid.

AuthError

If the token is valid, but the user cannot be resolved.

"},{"location":"app/#jwtlib.app.introspect_token","title":"introspect_token async","text":"
introspect_token(token: str, repo: Optional[UserRepository] = None) -> IntrospectResponse\n

Introspect a JWT for service-to-service authentication.

Parameters:

Name Type Description Default token str

JWT access token to introspect.

required repo UserRepository

Optional user repository instance. If not provided, a default repository is obtained via dependency utilities.

None

Returns:

Name Type Description IntrospectResponse IntrospectResponse

IntrospectResponse indicating valid token with user, invalid token, or valid token with no user.

Notes

Responsibilities:

- Validates the provided token and resolves the associated user, returning a structured introspection response suitable for internal service use\n

Guarantees:

- This function never raises authentication exceptions. Instead, it returns a typed response indicating token validity and user presence.\n
"},{"location":"app/#jwtlib.app.login_user","title":"login_user async","text":"
login_user(user: LoginRequest, repo: Optional[UserRepository] = None) -> LoginResponse\n

Authenticate a user and issue an access token.

Parameters:

Name Type Description Default user LoginRequest

Login payload containing username and password.

required repo UserRepository

Optional user repository instance. If not provided, a default repository is obtained via dependency utilities.

None

Returns:

Name Type Description LoginResponse LoginResponse

LoginResponse containing the issued access token and related metadata.

Raises:

Type Description AuthError

If the credentials are invalid.

"},{"location":"app/#jwtlib.app.logout_user","title":"logout_user async","text":"
logout_user() -> LogoutResponse\n

Perform a stateless logout.

Returns:

Name Type Description LogoutResponse LogoutResponse

LogoutResponse containing a logout confirmation message.

Notes

Guarantees:

- This function does not invalidate tokens server-side. Instead, it provides a standardized response indicating that the client must discard its token.\n
"},{"location":"app/#jwtlib.app.register_user","title":"register_user async","text":"
register_user(user: RegisterRequest, repo: Optional[UserRepository] = None) -> PublicUser\n

Register a new user.

Parameters:

Name Type Description Default user RegisterRequest

Registration payload containing username, email, and password.

required repo UserRepository

Optional user repository instance. If not provided, a default repository is obtained via dependency utilities.

None

Returns:

Name Type Description PublicUser PublicUser

The newly created user as a public user representation.

"},{"location":"exceptions/","title":"Exceptions","text":""},{"location":"exceptions/#jwtlib.exceptions","title":"jwtlib.exceptions","text":"

Authentication and authorization exceptions.

"},{"location":"exceptions/#jwtlib.exceptions--summary","title":"Summary","text":"

This module defines the exception hierarchy used throughout the authentication library to represent authentication, authorization, and service-level failures.

All exceptions inherit from AuthError, allowing consumers to catch authentication-related failures broadly or handle specific cases selectively.

"},{"location":"exceptions/#jwtlib.exceptions-classes","title":"Classes","text":""},{"location":"exceptions/#jwtlib.exceptions.AuthError","title":"AuthError","text":"

Bases: Exception

Base authentication and authorization error.

Notes

Guarantees:

- All authentication-related exceptions raised by this library inherit from this class\n- Consumers may catch this exception to handle all auth failures uniformly\n
"},{"location":"exceptions/#jwtlib.exceptions.AuthServiceUnavailable","title":"AuthServiceUnavailable","text":"

Bases: AuthError

Raised when the authentication service cannot be reached.

Notes

Guarantees:

- Indicates a network failure, timeout, or unexpected error while communicating with the auth service\n
"},{"location":"exceptions/#jwtlib.exceptions.InvalidAuthorizationHeader","title":"InvalidAuthorizationHeader","text":"

Bases: AuthError

Raised when the Authorization header is missing or incorrectly formatted.

Notes

Guarantees:

- Indicates that the header is not present or does not follow the expected `Bearer <token>` format\n
"},{"location":"exceptions/#jwtlib.exceptions.InvalidToken","title":"InvalidToken","text":"

Bases: AuthError

Raised when a JWT is missing, malformed, expired, or invalid.

Notes

Guarantees:

- This error indicates that the provided token cannot be used to authenticate a request\n
"},{"location":"exceptions/#jwtlib.exceptions.NotAuthenticated","title":"NotAuthenticated","text":"

Bases: AuthError

Raised when authentication is required but no user context is present.

Notes

Guarantees:

- Typically used when attempting to access a protected operation without an authenticated user\n
"},{"location":"exceptions/#jwtlib.exceptions.UserNotFound","title":"UserNotFound","text":"

Bases: AuthError

Raised when a valid token does not map to an existing user.

Notes

Guarantees:

- Indicates that authentication succeeded at the token level, but the associated user record could not be resolved\n
"},{"location":"introspection/","title":"Introspection","text":""},{"location":"introspection/#jwtlib.introspection","title":"jwtlib.introspection","text":"

Auth client and access-control utilities.

"},{"location":"introspection/#jwtlib.introspection--summary","title":"Summary","text":"

This module provides pure authentication and authorization logic for validating JWTs via service-to-service introspection and resolving authenticated users.

Notes

Responsibilities:

- Calling the auth service introspection endpoint\n- Translating introspection responses into typed user models\n- Enforcing access control decisions at the logic layer\n

Constraints:

- This module intentionally does NOT: Parse HTTP requests or headers, implement authentication policies, or perform JWT signature verification locally.\n
"},{"location":"introspection/#jwtlib.introspection-classes","title":"Classes","text":""},{"location":"introspection/#jwtlib.introspection-functions","title":"Functions","text":""},{"location":"introspection/#jwtlib.introspection.authenticate_request","title":"authenticate_request async","text":"
authenticate_request(should_skip_authentication: Callable[[str, str], bool], *, method: str, path: str, authorization_token: Optional[str]) -> Optional[PublicUser]\n

Authenticate an incoming request using token introspection.

Parameters:

Name Type Description Default should_skip_authentication Callable[[str, str], bool]

Callable that decides whether authentication is required for a given HTTP method and path.

required method str

HTTP method of the incoming request.

required path str

Request path.

required authorization_token str | None

JWT access token provided by the caller.

required

Returns:

Type Description Optional[PublicUser]

PublicUser | None: PublicUser if authentication succeeds; None if authentication is skipped.

Raises:

Type Description InvalidToken

If authentication is required but the token is missing, invalid, or revoked.

AuthServiceUnavailable

If the auth service cannot be reached.

Notes

Responsibilities:

- Determines whether authentication should be skipped for the given request context and, if not, resolves the authenticated user via token introspection\n

Guarantees:

- This function does not parse Authorization headers; callers must supply the raw token. Access-control policy is externalized via `should_skip_authentication`.\n
"},{"location":"introspection/#jwtlib.introspection.introspect_token","title":"introspect_token async","text":"
introspect_token(token: str) -> dict[str, Any]\n

Introspect a JWT using the external authentication service.

Parameters:

Name Type Description Default token str

JWT access token to introspect.

required

Returns:

Type Description dict[str, Any]

dict[str, Any]: A dictionary containing the authenticated user's public payload.

Raises:

Type Description InvalidToken

If the token is missing, invalid, inactive, or revoked.

AuthServiceUnavailable

If the auth service cannot be reached or fails unexpectedly.

Notes

Guarantees:

- This function treats the auth service as the source of truth. No local JWT validation or signature checking is performed here. The returned payload is expected to be safe for public exposure.\n
"},{"location":"repository/","title":"Repository","text":""},{"location":"repository/#jwtlib.repository","title":"jwtlib.repository","text":"

UserRepository: Persistence layer for authentication.

"},{"location":"repository/#jwtlib.repository--summary","title":"Summary","text":"

This module defines the MongoDB-backed repository for managing user records, including creation, lookup, and credential verification.

"},{"location":"repository/#jwtlib.repository-classes","title":"Classes","text":""},{"location":"repository/#jwtlib.repository.UserRepository","title":"UserRepository","text":"
UserRepository()\n

Bases: BaseRepository[User]

MongoDB-backed repository for User documents.

Notes

Responsibilities:

- Managing user persistence (CRUD)\n- Credential verification and token issuance\n
"},{"location":"repository/#jwtlib.repository.UserRepository-functions","title":"Functions","text":""},{"location":"repository/#jwtlib.repository.UserRepository.authenticate_user","title":"authenticate_user async","text":"
authenticate_user(user_auth: LoginRequest) -> Optional[dict]\n

Verify user credentials and prepare a login response.

Parameters:

Name Type Description Default user_auth LoginRequest

Login credentials.

required

Returns:

Type Description Optional[dict]

dict | None: A dictionary containing the access token and public user if successful, otherwise None.

"},{"location":"repository/#jwtlib.repository.UserRepository.create","title":"create async","text":"
create(user_create: RegisterRequest) -> PublicUser\n

Create a new user record.

Parameters:

Name Type Description Default user_create RegisterRequest

Registration data including prospective password.

required

Returns:

Name Type Description PublicUser PublicUser

A PublicUser representation of the created user.

"},{"location":"repository/#jwtlib.repository.UserRepository.get_active_users","title":"get_active_users async","text":"
get_active_users(skip: int = 0, limit: int = 100) -> List[User]\n

List all active users with pagination.

Parameters:

Name Type Description Default skip int

Number of records to skip.

0 limit int

Maximum number of records to return.

100

Returns:

Type Description List[User]

List[User]: A list of active User documents.

"},{"location":"repository/#jwtlib.repository.UserRepository.get_by_email","title":"get_by_email async","text":"
get_by_email(email: str) -> Optional[User]\n

Retrieve a user by their unique email address.

Parameters:

Name Type Description Default email str

The email address to search for.

required

Returns:

Type Description Optional[User]

Optional[User]: The User document if found, otherwise None.

"},{"location":"repository/#jwtlib.repository.UserRepository.get_by_username","title":"get_by_username async","text":"
get_by_username(username: str) -> Optional[User]\n

Retrieve a user by their unique username.

Parameters:

Name Type Description Default username str

The username to search for.

required

Returns:

Type Description Optional[User]

Optional[User]: The User document if found, otherwise None.

"},{"location":"repository/#jwtlib.repository-functions","title":"Functions","text":""},{"location":"security/","title":"Security","text":""},{"location":"security/#jwtlib.security","title":"jwtlib.security","text":"

Security utilities: Password hashing and JWT management.

"},{"location":"security/#jwtlib.security--summary","title":"Summary","text":"

This module provides low-level cryptographic helpers for password hashing and JWT token lifecycle management. It serves as the cryptographic engine for the authentication library.

"},{"location":"security/#jwtlib.security-classes","title":"Classes","text":""},{"location":"security/#jwtlib.security-functions","title":"Functions","text":""},{"location":"security/#jwtlib.security.create_access_token","title":"create_access_token","text":"
create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str\n

Generate a new JWT access token.

Parameters:

Name Type Description Default data dict

Subject data to include in the token payload.

required expires_delta timedelta

Optional expiration override.

None

Returns:

Name Type Description str str

An encoded JWT string.

"},{"location":"security/#jwtlib.security.get_jwt_payload","title":"get_jwt_payload","text":"
get_jwt_payload(token: str) -> TokenPayload\n

Decode and validate a JWT, returning a strongly-typed payload.

Parameters:

Name Type Description Default token str

The JWT string to decode.

required

Returns:

Name Type Description TokenPayload TokenPayload

The decoded and typed token payload.

Raises:

Type Description JWTError

If the token is invalid, expired, or malformed.

"},{"location":"security/#jwtlib.security.hash_password","title":"hash_password","text":"
hash_password(password: str) -> str\n

Hash a plain-text password using the configured crypt context.

Parameters:

Name Type Description Default password str

The plain-text password to hash.

required

Returns:

Name Type Description str str

The secure hash string.

"},{"location":"security/#jwtlib.security.verify_password","title":"verify_password","text":"
verify_password(plain_password: str, hashed_password: str) -> bool\n

Verify a plain-text password against a stored hash.

Parameters:

Name Type Description Default plain_password str

The unhashed password provided by the user.

required hashed_password str

The secure hash to verify against.

required

Returns:

Name Type Description bool bool

True if the password is valid, False otherwise.

"},{"location":"utils/","title":"Utils","text":""},{"location":"utils/#jwtlib.utils","title":"jwtlib.utils","text":"

Auth Utilities: Token validation and user resolution.

"},{"location":"utils/#jwtlib.utils--summary","title":"Summary","text":"

This module provides high-level helpers for validating JWT payloads and resolving users, intended for use in dependency injection or middleware.

"},{"location":"utils/#jwtlib.utils-classes","title":"Classes","text":""},{"location":"utils/#jwtlib.utils-functions","title":"Functions","text":""},{"location":"utils/#jwtlib.utils.get_current_user","title":"get_current_user async","text":"
get_current_user(token: str, repo: Optional[UserRepository] = None) -> PublicUser\n

Validate token and return authenticated public user.

Parameters:

Name Type Description Default token str

The JWT string to validate.

required repo UserRepository

The user repository to use for resolution.

None

Returns:

Name Type Description PublicUser PublicUser

The resolved and validated user object.

Raises:

Type Description InvalidToken

If the token is missing, malformed, or invalid.

UserNotFound

If the token is valid, but the user does not exist in the repository.

"},{"location":"utils/#jwtlib.utils.get_user_repository","title":"get_user_repository","text":"
get_user_repository() -> UserRepository\n

Return a singleton or new instance of the UserRepository.

Returns:

Name Type Description UserRepository UserRepository

The user repository instance.

"},{"location":"utils/#jwtlib.utils.get_validated_token_payload","title":"get_validated_token_payload","text":"
get_validated_token_payload(token: str) -> TokenPayload\n

Validate a JWT and return a typed payload.

Parameters:

Name Type Description Default token str

The JWT string to validate.

required

Returns:

Name Type Description TokenPayload TokenPayload

The validated and typed token payload.

Raises:

Type Description JWTError

If the token is invalid or malformed.

"},{"location":"jwtlib/","title":"Jwtlib","text":""},{"location":"jwtlib/#jwtlib","title":"jwtlib","text":"

jwtlib: A framework-agnostic JWT authentication library.

"},{"location":"jwtlib/#jwtlib--summary","title":"Summary","text":"

jwtlib provides a set of pure logic components for handling JWT discovery, user registration, login, and token introspection. It is designed to be decoupled from any specific web framework (like FastAPI or Flask).

"},{"location":"jwtlib/#jwtlib--installation","title":"Installation","text":"

Install using pip:

pip install py-jwt\n
"},{"location":"jwtlib/#jwtlib--quick-start","title":"Quick Start","text":"
import asyncio\nfrom jwtlib import login_user, LoginRequest\n\nasync def main():\n    request = LoginRequest(username=\"admin\", password=\"password\")\n    response = await login_user(request)\n    print(f\"Access Token: {response.access_token}\")\n
"},{"location":"jwtlib/#jwtlib--public-api","title":"Public API","text":"

This package re-exports the core authentication primitives. Consumers are encouraged to import from this namespace for high-level operations.

Authentication: - register_user - login_user - logout_user - get_logged_in_user

Introspection: - introspect_token - authenticate_request (logic-only)

Models: - RegisterRequest / LoginRequest / LoginResponse / LogoutResponse - PublicUser - IntrospectRequest / IntrospectResponse - TokenPayload

Exceptions: - AuthError - InvalidToken - UserNotFound

"},{"location":"jwtlib/#jwtlib-classes","title":"Classes","text":""},{"location":"jwtlib/#jwtlib.AuthError","title":"AuthError","text":"

Bases: Exception

Base authentication and authorization error.

Notes

Guarantees:

- All authentication-related exceptions raised by this library inherit from this class\n- Consumers may catch this exception to handle all auth failures uniformly\n
"},{"location":"jwtlib/#jwtlib.IntrospectRequest","title":"IntrospectRequest","text":"

Bases: BaseModel

Payload for requesting token introspection.

Attributes:

Name Type Description token str

JWT access token to introspect.

"},{"location":"jwtlib/#jwtlib.IntrospectResponse","title":"IntrospectResponse","text":"

Bases: BaseModel

Result of a token introspection operation.

Attributes:

Name Type Description active bool

Indicates whether the token is valid and active.

user Optional[PublicUser]

Public user details if the token is valid; otherwise null.

"},{"location":"jwtlib/#jwtlib.InvalidToken","title":"InvalidToken","text":"

Bases: AuthError

Raised when a JWT is missing, malformed, expired, or invalid.

Notes

Guarantees:

- This error indicates that the provided token cannot be used to authenticate a request\n
"},{"location":"jwtlib/#jwtlib.LoginRequest","title":"LoginRequest","text":"

Bases: IdentityMixin, PasswordMixin

Payload for authenticating a user and issuing a JWT.

Attributes:

Name Type Description username str

Username identifier.

password str

Plain-text password to be verified.

"},{"location":"jwtlib/#jwtlib.LoginResponse","title":"LoginResponse","text":"

Bases: BaseModel

Response returned after successful authentication.

Attributes:

Name Type Description access_token str

JWT access token for authenticated requests.

user PublicUser

Public profile of the authenticated user.

"},{"location":"jwtlib/#jwtlib.LogoutResponse","title":"LogoutResponse","text":"

Bases: BaseModel

Response returned after a logout operation.

Attributes:

Name Type Description message str

Human-readable logout confirmation.

"},{"location":"jwtlib/#jwtlib.PublicUser","title":"PublicUser","text":"

Bases: IdentityMixin, ActiveStateMixin

Public-facing user representation returned by authentication APIs.

Attributes:

Name Type Description username str

Unique username identifier.

email EmailStr

User's email address.

is_active bool

Whether the user account is active.

"},{"location":"jwtlib/#jwtlib.RegisterRequest","title":"RegisterRequest","text":"

Bases: IdentityMixin, PasswordMixin

Payload for registering a new user account.

Attributes:

Name Type Description username str

Unique username identifier.

email EmailStr

User's email address.

password str

Plain-text password (to be hashed by the repository layer).

"},{"location":"jwtlib/#jwtlib.TokenPayload","title":"TokenPayload","text":"

Bases: BaseModel

Decoded JWT payload.

Attributes:

Name Type Description sub str

Subject claim identifying the user (typically a username or user ID).

exp int

Expiration time as a Unix timestamp (seconds since epoch).

Notes

Responsibilities:

- Represents the validated claims extracted from a JWT after signature verification. This model is used internally to enforce required claims and provide a typed interface to token data.\n

Guarantees:

- This model assumes the JWT signature has already been verified. No authorization decisions should be made solely on this model. Additional claims may exist but are intentionally ignored.\n
"},{"location":"jwtlib/#jwtlib.User","title":"User","text":"

Bases: BaseDocument, IdentityMixin, ActiveStateMixin

Internal user persistence model.

Attributes:

Name Type Description hashed_password str

Secure hash of the user's password.

Notes

Responsibilities:

- Represents a user record as stored in the database. Includes sensitive fields and is strictly confined to the persistence layer.\n

Guarantees:

- This model MUST NOT be returned from authentication APIs. Consumers should use `PublicUser` instead. Password verification is handled by the repository layer.\n
"},{"location":"jwtlib/#jwtlib.UserNotFound","title":"UserNotFound","text":"

Bases: AuthError

Raised when a valid token does not map to an existing user.

Notes

Guarantees:

- Indicates that authentication succeeded at the token level, but the associated user record could not be resolved\n
"},{"location":"jwtlib/#jwtlib-functions","title":"Functions","text":""},{"location":"jwtlib/#jwtlib.authenticate_request","title":"authenticate_request async","text":"
authenticate_request(should_skip_authentication: Callable[[str, str], bool], *, method: str, path: str, authorization_token: Optional[str]) -> Optional[PublicUser]\n

Authenticate an incoming request using token introspection.

Parameters:

Name Type Description Default should_skip_authentication Callable[[str, str], bool]

Callable that decides whether authentication is required for a given HTTP method and path.

required method str

HTTP method of the incoming request.

required path str

Request path.

required authorization_token str | None

JWT access token provided by the caller.

required

Returns:

Type Description Optional[PublicUser]

PublicUser | None: PublicUser if authentication succeeds; None if authentication is skipped.

Raises:

Type Description InvalidToken

If authentication is required but the token is missing, invalid, or revoked.

AuthServiceUnavailable

If the auth service cannot be reached.

Notes

Responsibilities:

- Determines whether authentication should be skipped for the given request context and, if not, resolves the authenticated user via token introspection\n

Guarantees:

- This function does not parse Authorization headers; callers must supply the raw token. Access-control policy is externalized via `should_skip_authentication`.\n
"},{"location":"jwtlib/#jwtlib.get_logged_in_user","title":"get_logged_in_user async","text":"
get_logged_in_user(token: str, repo: Optional[UserRepository] = None) -> PublicUser\n

Resolve the currently authenticated user from a JWT.

Parameters:

Name Type Description Default token str

JWT access token.

required repo UserRepository

Optional user repository instance. If not provided, a default repository is obtained via dependency utilities.

None

Returns:

Name Type Description PublicUser PublicUser

The authenticated user as a PublicUser.

Raises:

Type Description InvalidToken

If the token is missing, malformed, or invalid.

AuthError

If the token is valid, but the user cannot be resolved.

"},{"location":"jwtlib/#jwtlib.introspect_token","title":"introspect_token async","text":"
introspect_token(token: str, repo: Optional[UserRepository] = None) -> IntrospectResponse\n

Introspect a JWT for service-to-service authentication.

Parameters:

Name Type Description Default token str

JWT access token to introspect.

required repo UserRepository

Optional user repository instance. If not provided, a default repository is obtained via dependency utilities.

None

Returns:

Name Type Description IntrospectResponse IntrospectResponse

IntrospectResponse indicating valid token with user, invalid token, or valid token with no user.

Notes

Responsibilities:

- Validates the provided token and resolves the associated user, returning a structured introspection response suitable for internal service use\n

Guarantees:

- This function never raises authentication exceptions. Instead, it returns a typed response indicating token validity and user presence.\n
"},{"location":"jwtlib/#jwtlib.login_user","title":"login_user async","text":"
login_user(user: LoginRequest, repo: Optional[UserRepository] = None) -> LoginResponse\n

Authenticate a user and issue an access token.

Parameters:

Name Type Description Default user LoginRequest

Login payload containing username and password.

required repo UserRepository

Optional user repository instance. If not provided, a default repository is obtained via dependency utilities.

None

Returns:

Name Type Description LoginResponse LoginResponse

LoginResponse containing the issued access token and related metadata.

Raises:

Type Description AuthError

If the credentials are invalid.

"},{"location":"jwtlib/#jwtlib.logout_user","title":"logout_user async","text":"
logout_user() -> LogoutResponse\n

Perform a stateless logout.

Returns:

Name Type Description LogoutResponse LogoutResponse

LogoutResponse containing a logout confirmation message.

Notes

Guarantees:

- This function does not invalidate tokens server-side. Instead, it provides a standardized response indicating that the client must discard its token.\n
"},{"location":"jwtlib/#jwtlib.register_user","title":"register_user async","text":"
register_user(user: RegisterRequest, repo: Optional[UserRepository] = None) -> PublicUser\n

Register a new user.

Parameters:

Name Type Description Default user RegisterRequest

Registration payload containing username, email, and password.

required repo UserRepository

Optional user repository instance. If not provided, a default repository is obtained via dependency utilities.

None

Returns:

Name Type Description PublicUser PublicUser

The newly created user as a public user representation.

"},{"location":"jwtlib/app/","title":"App","text":""},{"location":"jwtlib/app/#jwtlib.app","title":"jwtlib.app","text":"

Application-level authentication logic.

"},{"location":"jwtlib/app/#jwtlib.app--summary","title":"Summary","text":"

This module contains pure authentication and introspection logic with no framework or transport coupling. It is intended to be used by HTTP adapters, CLIs, background workers, and other services that require JWT-based authentication and user resolution.

Notes

Responsibilities:

- User registration and login\n- Stateless logout semantics\n- Current-user resolution from JWTs\n- Service-to-service token introspection\n

Constraints:

- This module intentionally does NOT: Define HTTP routes, manage sessions, perform request parsing or response formatting, or handle transport-level concerns.\n
"},{"location":"jwtlib/app/#jwtlib.app-classes","title":"Classes","text":""},{"location":"jwtlib/app/#jwtlib.app-functions","title":"Functions","text":""},{"location":"jwtlib/app/#jwtlib.app.get_logged_in_user","title":"get_logged_in_user async","text":"
get_logged_in_user(token: str, repo: Optional[UserRepository] = None) -> PublicUser\n

Resolve the currently authenticated user from a JWT.

Parameters:

Name Type Description Default token str

JWT access token.

required repo UserRepository

Optional user repository instance. If not provided, a default repository is obtained via dependency utilities.

None

Returns:

Name Type Description PublicUser PublicUser

The authenticated user as a PublicUser.

Raises:

Type Description InvalidToken

If the token is missing, malformed, or invalid.

AuthError

If the token is valid, but the user cannot be resolved.

"},{"location":"jwtlib/app/#jwtlib.app.introspect_token","title":"introspect_token async","text":"
introspect_token(token: str, repo: Optional[UserRepository] = None) -> IntrospectResponse\n

Introspect a JWT for service-to-service authentication.

Parameters:

Name Type Description Default token str

JWT access token to introspect.

required repo UserRepository

Optional user repository instance. If not provided, a default repository is obtained via dependency utilities.

None

Returns:

Name Type Description IntrospectResponse IntrospectResponse

IntrospectResponse indicating valid token with user, invalid token, or valid token with no user.

Notes

Responsibilities:

- Validates the provided token and resolves the associated user, returning a structured introspection response suitable for internal service use\n

Guarantees:

- This function never raises authentication exceptions. Instead, it returns a typed response indicating token validity and user presence.\n
"},{"location":"jwtlib/app/#jwtlib.app.login_user","title":"login_user async","text":"
login_user(user: LoginRequest, repo: Optional[UserRepository] = None) -> LoginResponse\n

Authenticate a user and issue an access token.

Parameters:

Name Type Description Default user LoginRequest

Login payload containing username and password.

required repo UserRepository

Optional user repository instance. If not provided, a default repository is obtained via dependency utilities.

None

Returns:

Name Type Description LoginResponse LoginResponse

LoginResponse containing the issued access token and related metadata.

Raises:

Type Description AuthError

If the credentials are invalid.

"},{"location":"jwtlib/app/#jwtlib.app.logout_user","title":"logout_user async","text":"
logout_user() -> LogoutResponse\n

Perform a stateless logout.

Returns:

Name Type Description LogoutResponse LogoutResponse

LogoutResponse containing a logout confirmation message.

Notes

Guarantees:

- This function does not invalidate tokens server-side. Instead, it provides a standardized response indicating that the client must discard its token.\n
"},{"location":"jwtlib/app/#jwtlib.app.register_user","title":"register_user async","text":"
register_user(user: RegisterRequest, repo: Optional[UserRepository] = None) -> PublicUser\n

Register a new user.

Parameters:

Name Type Description Default user RegisterRequest

Registration payload containing username, email, and password.

required repo UserRepository

Optional user repository instance. If not provided, a default repository is obtained via dependency utilities.

None

Returns:

Name Type Description PublicUser PublicUser

The newly created user as a public user representation.

"},{"location":"jwtlib/exceptions/","title":"Exceptions","text":""},{"location":"jwtlib/exceptions/#jwtlib.exceptions","title":"jwtlib.exceptions","text":"

Authentication and authorization exceptions.

"},{"location":"jwtlib/exceptions/#jwtlib.exceptions--summary","title":"Summary","text":"

This module defines the exception hierarchy used throughout the authentication library to represent authentication, authorization, and service-level failures.

All exceptions inherit from AuthError, allowing consumers to catch authentication-related failures broadly or handle specific cases selectively.

"},{"location":"jwtlib/exceptions/#jwtlib.exceptions-classes","title":"Classes","text":""},{"location":"jwtlib/exceptions/#jwtlib.exceptions.AuthError","title":"AuthError","text":"

Bases: Exception

Base authentication and authorization error.

Notes

Guarantees:

- All authentication-related exceptions raised by this library inherit from this class\n- Consumers may catch this exception to handle all auth failures uniformly\n
"},{"location":"jwtlib/exceptions/#jwtlib.exceptions.AuthServiceUnavailable","title":"AuthServiceUnavailable","text":"

Bases: AuthError

Raised when the authentication service cannot be reached.

Notes

Guarantees:

- Indicates a network failure, timeout, or unexpected error while communicating with the auth service\n
"},{"location":"jwtlib/exceptions/#jwtlib.exceptions.InvalidAuthorizationHeader","title":"InvalidAuthorizationHeader","text":"

Bases: AuthError

Raised when the Authorization header is missing or incorrectly formatted.

Notes

Guarantees:

- Indicates that the header is not present or does not follow the expected `Bearer <token>` format\n
"},{"location":"jwtlib/exceptions/#jwtlib.exceptions.InvalidToken","title":"InvalidToken","text":"

Bases: AuthError

Raised when a JWT is missing, malformed, expired, or invalid.

Notes

Guarantees:

- This error indicates that the provided token cannot be used to authenticate a request\n
"},{"location":"jwtlib/exceptions/#jwtlib.exceptions.NotAuthenticated","title":"NotAuthenticated","text":"

Bases: AuthError

Raised when authentication is required but no user context is present.

Notes

Guarantees:

- Typically used when attempting to access a protected operation without an authenticated user\n
"},{"location":"jwtlib/exceptions/#jwtlib.exceptions.UserNotFound","title":"UserNotFound","text":"

Bases: AuthError

Raised when a valid token does not map to an existing user.

Notes

Guarantees:

- Indicates that authentication succeeded at the token level, but the associated user record could not be resolved\n
"},{"location":"jwtlib/introspection/","title":"Introspection","text":""},{"location":"jwtlib/introspection/#jwtlib.introspection","title":"jwtlib.introspection","text":"

Auth client and access-control utilities.

"},{"location":"jwtlib/introspection/#jwtlib.introspection--summary","title":"Summary","text":"

This module provides pure authentication and authorization logic for validating JWTs via service-to-service introspection and resolving authenticated users.

Notes

Responsibilities:

- Calling the auth service introspection endpoint\n- Translating introspection responses into typed user models\n- Enforcing access control decisions at the logic layer\n

Constraints:

- This module intentionally does NOT: Parse HTTP requests or headers, implement authentication policies, or perform JWT signature verification locally.\n
"},{"location":"jwtlib/introspection/#jwtlib.introspection-classes","title":"Classes","text":""},{"location":"jwtlib/introspection/#jwtlib.introspection-functions","title":"Functions","text":""},{"location":"jwtlib/introspection/#jwtlib.introspection.authenticate_request","title":"authenticate_request async","text":"
authenticate_request(should_skip_authentication: Callable[[str, str], bool], *, method: str, path: str, authorization_token: Optional[str]) -> Optional[PublicUser]\n

Authenticate an incoming request using token introspection.

Parameters:

Name Type Description Default should_skip_authentication Callable[[str, str], bool]

Callable that decides whether authentication is required for a given HTTP method and path.

required method str

HTTP method of the incoming request.

required path str

Request path.

required authorization_token str | None

JWT access token provided by the caller.

required

Returns:

Type Description Optional[PublicUser]

PublicUser | None: PublicUser if authentication succeeds; None if authentication is skipped.

Raises:

Type Description InvalidToken

If authentication is required but the token is missing, invalid, or revoked.

AuthServiceUnavailable

If the auth service cannot be reached.

Notes

Responsibilities:

- Determines whether authentication should be skipped for the given request context and, if not, resolves the authenticated user via token introspection\n

Guarantees:

- This function does not parse Authorization headers; callers must supply the raw token. Access-control policy is externalized via `should_skip_authentication`.\n
"},{"location":"jwtlib/introspection/#jwtlib.introspection.introspect_token","title":"introspect_token async","text":"
introspect_token(token: str) -> dict[str, Any]\n

Introspect a JWT using the external authentication service.

Parameters:

Name Type Description Default token str

JWT access token to introspect.

required

Returns:

Type Description dict[str, Any]

dict[str, Any]: A dictionary containing the authenticated user's public payload.

Raises:

Type Description InvalidToken

If the token is missing, invalid, inactive, or revoked.

AuthServiceUnavailable

If the auth service cannot be reached or fails unexpectedly.

Notes

Guarantees:

- This function treats the auth service as the source of truth. No local JWT validation or signature checking is performed here. The returned payload is expected to be safe for public exposure.\n
"},{"location":"jwtlib/repository/","title":"Repository","text":""},{"location":"jwtlib/repository/#jwtlib.repository","title":"jwtlib.repository","text":"

UserRepository: Persistence layer for authentication.

"},{"location":"jwtlib/repository/#jwtlib.repository--summary","title":"Summary","text":"

This module defines the MongoDB-backed repository for managing user records, including creation, lookup, and credential verification.

"},{"location":"jwtlib/repository/#jwtlib.repository-classes","title":"Classes","text":""},{"location":"jwtlib/repository/#jwtlib.repository.UserRepository","title":"UserRepository","text":"
UserRepository()\n

Bases: BaseRepository[User]

MongoDB-backed repository for User documents.

Notes

Responsibilities:

- Managing user persistence (CRUD)\n- Credential verification and token issuance\n
"},{"location":"jwtlib/repository/#jwtlib.repository.UserRepository-functions","title":"Functions","text":""},{"location":"jwtlib/repository/#jwtlib.repository.UserRepository.authenticate_user","title":"authenticate_user async","text":"
authenticate_user(user_auth: LoginRequest) -> Optional[dict]\n

Verify user credentials and prepare a login response.

Parameters:

Name Type Description Default user_auth LoginRequest

Login credentials.

required

Returns:

Type Description Optional[dict]

dict | None: A dictionary containing the access token and public user if successful, otherwise None.

"},{"location":"jwtlib/repository/#jwtlib.repository.UserRepository.create","title":"create async","text":"
create(user_create: RegisterRequest) -> PublicUser\n

Create a new user record.

Parameters:

Name Type Description Default user_create RegisterRequest

Registration data including prospective password.

required

Returns:

Name Type Description PublicUser PublicUser

A PublicUser representation of the created user.

"},{"location":"jwtlib/repository/#jwtlib.repository.UserRepository.get_active_users","title":"get_active_users async","text":"
get_active_users(skip: int = 0, limit: int = 100) -> List[User]\n

List all active users with pagination.

Parameters:

Name Type Description Default skip int

Number of records to skip.

0 limit int

Maximum number of records to return.

100

Returns:

Type Description List[User]

List[User]: A list of active User documents.

"},{"location":"jwtlib/repository/#jwtlib.repository.UserRepository.get_by_email","title":"get_by_email async","text":"
get_by_email(email: str) -> Optional[User]\n

Retrieve a user by their unique email address.

Parameters:

Name Type Description Default email str

The email address to search for.

required

Returns:

Type Description Optional[User]

Optional[User]: The User document if found, otherwise None.

"},{"location":"jwtlib/repository/#jwtlib.repository.UserRepository.get_by_username","title":"get_by_username async","text":"
get_by_username(username: str) -> Optional[User]\n

Retrieve a user by their unique username.

Parameters:

Name Type Description Default username str

The username to search for.

required

Returns:

Type Description Optional[User]

Optional[User]: The User document if found, otherwise None.

"},{"location":"jwtlib/repository/#jwtlib.repository-functions","title":"Functions","text":""},{"location":"jwtlib/security/","title":"Security","text":""},{"location":"jwtlib/security/#jwtlib.security","title":"jwtlib.security","text":"

Security utilities: Password hashing and JWT management.

"},{"location":"jwtlib/security/#jwtlib.security--summary","title":"Summary","text":"

This module provides low-level cryptographic helpers for password hashing and JWT token lifecycle management. It serves as the cryptographic engine for the authentication library.

"},{"location":"jwtlib/security/#jwtlib.security-classes","title":"Classes","text":""},{"location":"jwtlib/security/#jwtlib.security-functions","title":"Functions","text":""},{"location":"jwtlib/security/#jwtlib.security.create_access_token","title":"create_access_token","text":"
create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str\n

Generate a new JWT access token.

Parameters:

Name Type Description Default data dict

Subject data to include in the token payload.

required expires_delta timedelta

Optional expiration override.

None

Returns:

Name Type Description str str

An encoded JWT string.

"},{"location":"jwtlib/security/#jwtlib.security.get_jwt_payload","title":"get_jwt_payload","text":"
get_jwt_payload(token: str) -> TokenPayload\n

Decode and validate a JWT, returning a strongly-typed payload.

Parameters:

Name Type Description Default token str

The JWT string to decode.

required

Returns:

Name Type Description TokenPayload TokenPayload

The decoded and typed token payload.

Raises:

Type Description JWTError

If the token is invalid, expired, or malformed.

"},{"location":"jwtlib/security/#jwtlib.security.hash_password","title":"hash_password","text":"
hash_password(password: str) -> str\n

Hash a plain-text password using the configured crypt context.

Parameters:

Name Type Description Default password str

The plain-text password to hash.

required

Returns:

Name Type Description str str

The secure hash string.

"},{"location":"jwtlib/security/#jwtlib.security.verify_password","title":"verify_password","text":"
verify_password(plain_password: str, hashed_password: str) -> bool\n

Verify a plain-text password against a stored hash.

Parameters:

Name Type Description Default plain_password str

The unhashed password provided by the user.

required hashed_password str

The secure hash to verify against.

required

Returns:

Name Type Description bool bool

True if the password is valid, False otherwise.

"},{"location":"jwtlib/utils/","title":"Utils","text":""},{"location":"jwtlib/utils/#jwtlib.utils","title":"jwtlib.utils","text":"

Auth Utilities: Token validation and user resolution.

"},{"location":"jwtlib/utils/#jwtlib.utils--summary","title":"Summary","text":"

This module provides high-level helpers for validating JWT payloads and resolving users, intended for use in dependency injection or middleware.

"},{"location":"jwtlib/utils/#jwtlib.utils-classes","title":"Classes","text":""},{"location":"jwtlib/utils/#jwtlib.utils-functions","title":"Functions","text":""},{"location":"jwtlib/utils/#jwtlib.utils.get_current_user","title":"get_current_user async","text":"
get_current_user(token: str, repo: Optional[UserRepository] = None) -> PublicUser\n

Validate token and return authenticated public user.

Parameters:

Name Type Description Default token str

The JWT string to validate.

required repo UserRepository

The user repository to use for resolution.

None

Returns:

Name Type Description PublicUser PublicUser

The resolved and validated user object.

Raises:

Type Description InvalidToken

If the token is missing, malformed, or invalid.

UserNotFound

If the token is valid, but the user does not exist in the repository.

"},{"location":"jwtlib/utils/#jwtlib.utils.get_user_repository","title":"get_user_repository","text":"
get_user_repository() -> UserRepository\n

Return a singleton or new instance of the UserRepository.

Returns:

Name Type Description UserRepository UserRepository

The user repository instance.

"},{"location":"jwtlib/utils/#jwtlib.utils.get_validated_token_payload","title":"get_validated_token_payload","text":"
get_validated_token_payload(token: str) -> TokenPayload\n

Validate a JWT and return a typed payload.

Parameters:

Name Type Description Default token str

The JWT string to validate.

required

Returns:

Name Type Description TokenPayload TokenPayload

The validated and typed token payload.

Raises:

Type Description JWTError

If the token is invalid or malformed.

"},{"location":"jwtlib/models/","title":"Models","text":""},{"location":"jwtlib/models/#jwtlib.models","title":"jwtlib.models","text":"

jwtlib Models: Structured Data for Authentication.

"},{"location":"jwtlib/models/#jwtlib.models--summary","title":"Summary","text":"

This package defines the core data models used by jwtlib. These models are categorized into request payloads, response objects, persistence documents, and security context.

"},{"location":"jwtlib/models/#jwtlib.models--model-categories","title":"Model Categories","text":"

API Requests: - RegisterRequest: Payload for creating new user accounts. - LoginRequest: User credentials for issuing JWTs. - IntrospectRequest: Internal payload for service-to-service token verification.

API Responses: - PublicUser: A safe, non-sensitive projection of a user profile. - LoginResponse: Contains the issued access token and the PublicUser. - LogoutResponse: Instruction for clients to clear stateless session state.

Internal & Security: - User: The MongoDB-backed persistence model (Confined to repository layer). - TokenPayload: Decoded claims from a validated JWT (sub, exp). - IntrospectResponse: Structured result of a token validity check.

"},{"location":"jwtlib/models/#jwtlib.models--usage","title":"Usage","text":"

Validating an Auth Request:

from jwtlib.models import LoginRequest\nauth_data = LoginRequest(username=\"tester\", password=\"secure_password\")\n

Projecting a User to Public View:

from jwtlib.models import User, PublicUser\nuser_profile = PublicUser.model_validate(db_user, from_attributes=True)\n
"},{"location":"jwtlib/models/#jwtlib.models--public-api","title":"Public API","text":"

This package re-exports all validated data models required by the authentication system. Consumers should import from this namespace to ensure type safety and consistency.

"},{"location":"jwtlib/models/#jwtlib.models-classes","title":"Classes","text":""},{"location":"jwtlib/models/#jwtlib.models.IntrospectRequest","title":"IntrospectRequest","text":"

Bases: BaseModel

Payload for requesting token introspection.

Attributes:

Name Type Description token str

JWT access token to introspect.

"},{"location":"jwtlib/models/#jwtlib.models.IntrospectResponse","title":"IntrospectResponse","text":"

Bases: BaseModel

Result of a token introspection operation.

Attributes:

Name Type Description active bool

Indicates whether the token is valid and active.

user Optional[PublicUser]

Public user details if the token is valid; otherwise null.

"},{"location":"jwtlib/models/#jwtlib.models.LoginRequest","title":"LoginRequest","text":"

Bases: IdentityMixin, PasswordMixin

Payload for authenticating a user and issuing a JWT.

Attributes:

Name Type Description username str

Username identifier.

password str

Plain-text password to be verified.

"},{"location":"jwtlib/models/#jwtlib.models.LoginResponse","title":"LoginResponse","text":"

Bases: BaseModel

Response returned after successful authentication.

Attributes:

Name Type Description access_token str

JWT access token for authenticated requests.

user PublicUser

Public profile of the authenticated user.

"},{"location":"jwtlib/models/#jwtlib.models.LogoutResponse","title":"LogoutResponse","text":"

Bases: BaseModel

Response returned after a logout operation.

Attributes:

Name Type Description message str

Human-readable logout confirmation.

"},{"location":"jwtlib/models/#jwtlib.models.PublicUser","title":"PublicUser","text":"

Bases: IdentityMixin, ActiveStateMixin

Public-facing user representation returned by authentication APIs.

Attributes:

Name Type Description username str

Unique username identifier.

email EmailStr

User's email address.

is_active bool

Whether the user account is active.

"},{"location":"jwtlib/models/#jwtlib.models.RegisterRequest","title":"RegisterRequest","text":"

Bases: IdentityMixin, PasswordMixin

Payload for registering a new user account.

Attributes:

Name Type Description username str

Unique username identifier.

email EmailStr

User's email address.

password str

Plain-text password (to be hashed by the repository layer).

"},{"location":"jwtlib/models/#jwtlib.models.TokenPayload","title":"TokenPayload","text":"

Bases: BaseModel

Decoded JWT payload.

Attributes:

Name Type Description sub str

Subject claim identifying the user (typically a username or user ID).

exp int

Expiration time as a Unix timestamp (seconds since epoch).

Notes

Responsibilities:

- Represents the validated claims extracted from a JWT after signature verification. This model is used internally to enforce required claims and provide a typed interface to token data.\n

Guarantees:

- This model assumes the JWT signature has already been verified. No authorization decisions should be made solely on this model. Additional claims may exist but are intentionally ignored.\n
"},{"location":"jwtlib/models/#jwtlib.models.User","title":"User","text":"

Bases: BaseDocument, IdentityMixin, ActiveStateMixin

Internal user persistence model.

Attributes:

Name Type Description hashed_password str

Secure hash of the user's password.

Notes

Responsibilities:

- Represents a user record as stored in the database. Includes sensitive fields and is strictly confined to the persistence layer.\n

Guarantees:

- This model MUST NOT be returned from authentication APIs. Consumers should use `PublicUser` instead. Password verification is handled by the repository layer.\n
"},{"location":"jwtlib/models/app/","title":"App","text":""},{"location":"jwtlib/models/app/#jwtlib.models.app","title":"jwtlib.models.app","text":"

Authentication request and response models.

"},{"location":"jwtlib/models/app/#jwtlib.models.app--summary","title":"Summary","text":"

This module defines all typed data models used by the authentication library for user registration, login, logout, and token introspection.

Notes

Model Categories:

- Request payloads used by authentication workflows\n- Public response models exposed to consumers\n- Introspection responses used for service-to-service authentication\n

Design Principles:

- Fully typed (Pydantic v2)\n- Serialization-safe\n- Framework-agnostic\n- Suitable for both internal logic and external adapters\n
"},{"location":"jwtlib/models/app/#jwtlib.models.app-classes","title":"Classes","text":""},{"location":"jwtlib/models/app/#jwtlib.models.app.IntrospectRequest","title":"IntrospectRequest","text":"

Bases: BaseModel

Payload for requesting token introspection.

Attributes:

Name Type Description token str

JWT access token to introspect.

"},{"location":"jwtlib/models/app/#jwtlib.models.app.IntrospectResponse","title":"IntrospectResponse","text":"

Bases: BaseModel

Result of a token introspection operation.

Attributes:

Name Type Description active bool

Indicates whether the token is valid and active.

user Optional[PublicUser]

Public user details if the token is valid; otherwise null.

"},{"location":"jwtlib/models/app/#jwtlib.models.app.LoginRequest","title":"LoginRequest","text":"

Bases: IdentityMixin, PasswordMixin

Payload for authenticating a user and issuing a JWT.

Attributes:

Name Type Description username str

Username identifier.

password str

Plain-text password to be verified.

"},{"location":"jwtlib/models/app/#jwtlib.models.app.LoginResponse","title":"LoginResponse","text":"

Bases: BaseModel

Response returned after successful authentication.

Attributes:

Name Type Description access_token str

JWT access token for authenticated requests.

user PublicUser

Public profile of the authenticated user.

"},{"location":"jwtlib/models/app/#jwtlib.models.app.LogoutResponse","title":"LogoutResponse","text":"

Bases: BaseModel

Response returned after a logout operation.

Attributes:

Name Type Description message str

Human-readable logout confirmation.

"},{"location":"jwtlib/models/app/#jwtlib.models.app.PublicUser","title":"PublicUser","text":"

Bases: IdentityMixin, ActiveStateMixin

Public-facing user representation returned by authentication APIs.

Attributes:

Name Type Description username str

Unique username identifier.

email EmailStr

User's email address.

is_active bool

Whether the user account is active.

"},{"location":"jwtlib/models/app/#jwtlib.models.app.RegisterRequest","title":"RegisterRequest","text":"

Bases: IdentityMixin, PasswordMixin

Payload for registering a new user account.

Attributes:

Name Type Description username str

Unique username identifier.

email EmailStr

User's email address.

password str

Plain-text password (to be hashed by the repository layer).

"},{"location":"jwtlib/models/common/","title":"Common","text":""},{"location":"jwtlib/models/common/#jwtlib.models.common","title":"jwtlib.models.common","text":"

Common Pydantic mixins for authentication models.

"},{"location":"jwtlib/models/common/#jwtlib.models.common--summary","title":"Summary","text":"

This module provides reusable mixins for identity, password, and account state. These mixes ensure consistency across internal persistence models and public-facing projection models.

"},{"location":"jwtlib/models/common/#jwtlib.models.common-classes","title":"Classes","text":""},{"location":"jwtlib/models/common/#jwtlib.models.common.ActiveStateMixin","title":"ActiveStateMixin","text":"

Bases: BaseModel

Mixin for entities with an active status flag.

Attributes:

Name Type Description is_active bool

Indicates whether the account is active and allowed to authenticate.

"},{"location":"jwtlib/models/common/#jwtlib.models.common.IdentityMixin","title":"IdentityMixin","text":"

Bases: BaseModel

Mixin for entities with a username and email.

Attributes:

Name Type Description username str

Unique username used for authentication and display.

email Optional[EmailStr]

Primary email address associated with the account.

"},{"location":"jwtlib/models/common/#jwtlib.models.common.PasswordMixin","title":"PasswordMixin","text":"

Bases: BaseModel

Mixin for entities with a raw password field.

Attributes:

Name Type Description password str

User password (minimum 6 characters).

"},{"location":"jwtlib/models/mongo/","title":"Mongo","text":""},{"location":"jwtlib/models/mongo/#jwtlib.models.mongo","title":"jwtlib.models.mongo","text":"

Persistence-layer user model for MongoDB.

"},{"location":"jwtlib/models/mongo/#jwtlib.models.mongo--summary","title":"Summary","text":"

This module defines the internal database representation of a user. It is used exclusively by the repository and persistence layers and must never be exposed directly to consumers.

Public-facing user data is provided via dedicated projection models.

"},{"location":"jwtlib/models/mongo/#jwtlib.models.mongo-classes","title":"Classes","text":""},{"location":"jwtlib/models/mongo/#jwtlib.models.mongo.User","title":"User","text":"

Bases: BaseDocument, IdentityMixin, ActiveStateMixin

Internal user persistence model.

Attributes:

Name Type Description hashed_password str

Secure hash of the user's password.

Notes

Responsibilities:

- Represents a user record as stored in the database. Includes sensitive fields and is strictly confined to the persistence layer.\n

Guarantees:

- This model MUST NOT be returned from authentication APIs. Consumers should use `PublicUser` instead. Password verification is handled by the repository layer.\n
"},{"location":"jwtlib/models/security/","title":"Security","text":""},{"location":"jwtlib/models/security/#jwtlib.models.security","title":"jwtlib.models.security","text":"

JWT token payload models.

"},{"location":"jwtlib/models/security/#jwtlib.models.security--summary","title":"Summary","text":"

This module defines typed representations of decoded JWT payloads used internally for token validation and user resolution.

"},{"location":"jwtlib/models/security/#jwtlib.models.security-classes","title":"Classes","text":""},{"location":"jwtlib/models/security/#jwtlib.models.security.TokenPayload","title":"TokenPayload","text":"

Bases: BaseModel

Decoded JWT payload.

Attributes:

Name Type Description sub str

Subject claim identifying the user (typically a username or user ID).

exp int

Expiration time as a Unix timestamp (seconds since epoch).

Notes

Responsibilities:

- Represents the validated claims extracted from a JWT after signature verification. This model is used internally to enforce required claims and provide a typed interface to token data.\n

Guarantees:

- This model assumes the JWT signature has already been verified. No authorization decisions should be made solely on this model. Additional claims may exist but are intentionally ignored.\n
"},{"location":"models/","title":"Models","text":""},{"location":"models/#jwtlib.models","title":"jwtlib.models","text":"

jwtlib Models: Structured Data for Authentication.

"},{"location":"models/#jwtlib.models--summary","title":"Summary","text":"

This package defines the core data models used by jwtlib. These models are categorized into request payloads, response objects, persistence documents, and security context.

"},{"location":"models/#jwtlib.models--model-categories","title":"Model Categories","text":"

API Requests: - RegisterRequest: Payload for creating new user accounts. - LoginRequest: User credentials for issuing JWTs. - IntrospectRequest: Internal payload for service-to-service token verification.

API Responses: - PublicUser: A safe, non-sensitive projection of a user profile. - LoginResponse: Contains the issued access token and the PublicUser. - LogoutResponse: Instruction for clients to clear stateless session state.

Internal & Security: - User: The MongoDB-backed persistence model (Confined to repository layer). - TokenPayload: Decoded claims from a validated JWT (sub, exp). - IntrospectResponse: Structured result of a token validity check.

"},{"location":"models/#jwtlib.models--usage","title":"Usage","text":"

Validating an Auth Request:

from jwtlib.models import LoginRequest\nauth_data = LoginRequest(username=\"tester\", password=\"secure_password\")\n

Projecting a User to Public View:

from jwtlib.models import User, PublicUser\nuser_profile = PublicUser.model_validate(db_user, from_attributes=True)\n
"},{"location":"models/#jwtlib.models--public-api","title":"Public API","text":"

This package re-exports all validated data models required by the authentication system. Consumers should import from this namespace to ensure type safety and consistency.

"},{"location":"models/#jwtlib.models-classes","title":"Classes","text":""},{"location":"models/#jwtlib.models.IntrospectRequest","title":"IntrospectRequest","text":"

Bases: BaseModel

Payload for requesting token introspection.

Attributes:

Name Type Description token str

JWT access token to introspect.

"},{"location":"models/#jwtlib.models.IntrospectResponse","title":"IntrospectResponse","text":"

Bases: BaseModel

Result of a token introspection operation.

Attributes:

Name Type Description active bool

Indicates whether the token is valid and active.

user Optional[PublicUser]

Public user details if the token is valid; otherwise null.

"},{"location":"models/#jwtlib.models.LoginRequest","title":"LoginRequest","text":"

Bases: IdentityMixin, PasswordMixin

Payload for authenticating a user and issuing a JWT.

Attributes:

Name Type Description username str

Username identifier.

password str

Plain-text password to be verified.

"},{"location":"models/#jwtlib.models.LoginResponse","title":"LoginResponse","text":"

Bases: BaseModel

Response returned after successful authentication.

Attributes:

Name Type Description access_token str

JWT access token for authenticated requests.

user PublicUser

Public profile of the authenticated user.

"},{"location":"models/#jwtlib.models.LogoutResponse","title":"LogoutResponse","text":"

Bases: BaseModel

Response returned after a logout operation.

Attributes:

Name Type Description message str

Human-readable logout confirmation.

"},{"location":"models/#jwtlib.models.PublicUser","title":"PublicUser","text":"

Bases: IdentityMixin, ActiveStateMixin

Public-facing user representation returned by authentication APIs.

Attributes:

Name Type Description username str

Unique username identifier.

email EmailStr

User's email address.

is_active bool

Whether the user account is active.

"},{"location":"models/#jwtlib.models.RegisterRequest","title":"RegisterRequest","text":"

Bases: IdentityMixin, PasswordMixin

Payload for registering a new user account.

Attributes:

Name Type Description username str

Unique username identifier.

email EmailStr

User's email address.

password str

Plain-text password (to be hashed by the repository layer).

"},{"location":"models/#jwtlib.models.TokenPayload","title":"TokenPayload","text":"

Bases: BaseModel

Decoded JWT payload.

Attributes:

Name Type Description sub str

Subject claim identifying the user (typically a username or user ID).

exp int

Expiration time as a Unix timestamp (seconds since epoch).

Notes

Responsibilities:

- Represents the validated claims extracted from a JWT after signature verification. This model is used internally to enforce required claims and provide a typed interface to token data.\n

Guarantees:

- This model assumes the JWT signature has already been verified. No authorization decisions should be made solely on this model. Additional claims may exist but are intentionally ignored.\n
"},{"location":"models/#jwtlib.models.User","title":"User","text":"

Bases: BaseDocument, IdentityMixin, ActiveStateMixin

Internal user persistence model.

Attributes:

Name Type Description hashed_password str

Secure hash of the user's password.

Notes

Responsibilities:

- Represents a user record as stored in the database. Includes sensitive fields and is strictly confined to the persistence layer.\n

Guarantees:

- This model MUST NOT be returned from authentication APIs. Consumers should use `PublicUser` instead. Password verification is handled by the repository layer.\n
"},{"location":"models/app/","title":"App","text":""},{"location":"models/app/#jwtlib.models.app","title":"jwtlib.models.app","text":"

Authentication request and response models.

"},{"location":"models/app/#jwtlib.models.app--summary","title":"Summary","text":"

This module defines all typed data models used by the authentication library for user registration, login, logout, and token introspection.

Notes

Model Categories:

- Request payloads used by authentication workflows\n- Public response models exposed to consumers\n- Introspection responses used for service-to-service authentication\n

Design Principles:

- Fully typed (Pydantic v2)\n- Serialization-safe\n- Framework-agnostic\n- Suitable for both internal logic and external adapters\n
"},{"location":"models/app/#jwtlib.models.app-classes","title":"Classes","text":""},{"location":"models/app/#jwtlib.models.app.IntrospectRequest","title":"IntrospectRequest","text":"

Bases: BaseModel

Payload for requesting token introspection.

Attributes:

Name Type Description token str

JWT access token to introspect.

"},{"location":"models/app/#jwtlib.models.app.IntrospectResponse","title":"IntrospectResponse","text":"

Bases: BaseModel

Result of a token introspection operation.

Attributes:

Name Type Description active bool

Indicates whether the token is valid and active.

user Optional[PublicUser]

Public user details if the token is valid; otherwise null.

"},{"location":"models/app/#jwtlib.models.app.LoginRequest","title":"LoginRequest","text":"

Bases: IdentityMixin, PasswordMixin

Payload for authenticating a user and issuing a JWT.

Attributes:

Name Type Description username str

Username identifier.

password str

Plain-text password to be verified.

"},{"location":"models/app/#jwtlib.models.app.LoginResponse","title":"LoginResponse","text":"

Bases: BaseModel

Response returned after successful authentication.

Attributes:

Name Type Description access_token str

JWT access token for authenticated requests.

user PublicUser

Public profile of the authenticated user.

"},{"location":"models/app/#jwtlib.models.app.LogoutResponse","title":"LogoutResponse","text":"

Bases: BaseModel

Response returned after a logout operation.

Attributes:

Name Type Description message str

Human-readable logout confirmation.

"},{"location":"models/app/#jwtlib.models.app.PublicUser","title":"PublicUser","text":"

Bases: IdentityMixin, ActiveStateMixin

Public-facing user representation returned by authentication APIs.

Attributes:

Name Type Description username str

Unique username identifier.

email EmailStr

User's email address.

is_active bool

Whether the user account is active.

"},{"location":"models/app/#jwtlib.models.app.RegisterRequest","title":"RegisterRequest","text":"

Bases: IdentityMixin, PasswordMixin

Payload for registering a new user account.

Attributes:

Name Type Description username str

Unique username identifier.

email EmailStr

User's email address.

password str

Plain-text password (to be hashed by the repository layer).

"},{"location":"models/common/","title":"Common","text":""},{"location":"models/common/#jwtlib.models.common","title":"jwtlib.models.common","text":"

Common Pydantic mixins for authentication models.

"},{"location":"models/common/#jwtlib.models.common--summary","title":"Summary","text":"

This module provides reusable mixins for identity, password, and account state. These mixes ensure consistency across internal persistence models and public-facing projection models.

"},{"location":"models/common/#jwtlib.models.common-classes","title":"Classes","text":""},{"location":"models/common/#jwtlib.models.common.ActiveStateMixin","title":"ActiveStateMixin","text":"

Bases: BaseModel

Mixin for entities with an active status flag.

Attributes:

Name Type Description is_active bool

Indicates whether the account is active and allowed to authenticate.

"},{"location":"models/common/#jwtlib.models.common.IdentityMixin","title":"IdentityMixin","text":"

Bases: BaseModel

Mixin for entities with a username and email.

Attributes:

Name Type Description username str

Unique username used for authentication and display.

email Optional[EmailStr]

Primary email address associated with the account.

"},{"location":"models/common/#jwtlib.models.common.PasswordMixin","title":"PasswordMixin","text":"

Bases: BaseModel

Mixin for entities with a raw password field.

Attributes:

Name Type Description password str

User password (minimum 6 characters).

"},{"location":"models/mongo/","title":"Mongo","text":""},{"location":"models/mongo/#jwtlib.models.mongo","title":"jwtlib.models.mongo","text":"

Persistence-layer user model for MongoDB.

"},{"location":"models/mongo/#jwtlib.models.mongo--summary","title":"Summary","text":"

This module defines the internal database representation of a user. It is used exclusively by the repository and persistence layers and must never be exposed directly to consumers.

Public-facing user data is provided via dedicated projection models.

"},{"location":"models/mongo/#jwtlib.models.mongo-classes","title":"Classes","text":""},{"location":"models/mongo/#jwtlib.models.mongo.User","title":"User","text":"

Bases: BaseDocument, IdentityMixin, ActiveStateMixin

Internal user persistence model.

Attributes:

Name Type Description hashed_password str

Secure hash of the user's password.

Notes

Responsibilities:

- Represents a user record as stored in the database. Includes sensitive fields and is strictly confined to the persistence layer.\n

Guarantees:

- This model MUST NOT be returned from authentication APIs. Consumers should use `PublicUser` instead. Password verification is handled by the repository layer.\n
"},{"location":"models/security/","title":"Security","text":""},{"location":"models/security/#jwtlib.models.security","title":"jwtlib.models.security","text":"

JWT token payload models.

"},{"location":"models/security/#jwtlib.models.security--summary","title":"Summary","text":"

This module defines typed representations of decoded JWT payloads used internally for token validation and user resolution.

"},{"location":"models/security/#jwtlib.models.security-classes","title":"Classes","text":""},{"location":"models/security/#jwtlib.models.security.TokenPayload","title":"TokenPayload","text":"

Bases: BaseModel

Decoded JWT payload.

Attributes:

Name Type Description sub str

Subject claim identifying the user (typically a username or user ID).

exp int

Expiration time as a Unix timestamp (seconds since epoch).

Notes

Responsibilities:

- Represents the validated claims extracted from a JWT after signature verification. This model is used internally to enforce required claims and provide a typed interface to token data.\n

Guarantees:

- This model assumes the JWT signature has already been verified. No authorization decisions should be made solely on this model. Additional claims may exist but are intentionally ignored.\n
"}]}