Verify the ``jwt`` token signature and return the token claims. :param jwt: the token to be decoded :type jwt: str or bytes :param key: the key suitable for the allowed algorithm :type key: str or bytes or PyJWK or :py:class:`jwt.algorithms.AllowedPublicKeys`
(
self,
jwt: str | bytes,
key: AllowedPublicKeys | PyJWK | str | bytes = "",
algorithms: Sequence[str] | None = None,
options: Options | None = None,
# deprecated arg, remove in pyjwt3
verify: bool | None = None,
# could be used as passthrough to api_jws, consider removal in pyjwt3
detached_payload: bytes | None = None,
# passthrough arguments to _validate_claims
# consider putting in options
audience: str | Iterable[str] | None = None,
subject: str | None = None,
issuer: str | Container[str] | None = None,
leeway: float | timedelta = 0,
# kwargs
**kwargs: Any,
)
| 301 | return payload |
| 302 | |
| 303 | def decode( |
| 304 | self, |
| 305 | jwt: str | bytes, |
| 306 | key: AllowedPublicKeys | PyJWK | str | bytes = "", |
| 307 | algorithms: Sequence[str] | None = None, |
| 308 | options: Options | None = None, |
| 309 | # deprecated arg, remove in pyjwt3 |
| 310 | verify: bool | None = None, |
| 311 | # could be used as passthrough to api_jws, consider removal in pyjwt3 |
| 312 | detached_payload: bytes | None = None, |
| 313 | # passthrough arguments to _validate_claims |
| 314 | # consider putting in options |
| 315 | audience: str | Iterable[str] | None = None, |
| 316 | subject: str | None = None, |
| 317 | issuer: str | Container[str] | None = None, |
| 318 | leeway: float | timedelta = 0, |
| 319 | # kwargs |
| 320 | **kwargs: Any, |
| 321 | ) -> dict[str, Any]: |
| 322 | """Verify the ``jwt`` token signature and return the token claims. |
| 323 | |
| 324 | :param jwt: the token to be decoded |
| 325 | :type jwt: str or bytes |
| 326 | :param key: the key suitable for the allowed algorithm |
| 327 | :type key: str or bytes or PyJWK or :py:class:`jwt.algorithms.AllowedPublicKeys` |
| 328 | |
| 329 | :param algorithms: allowed algorithms, e.g. ``["ES256"]`` |
| 330 | If ``key`` is a :class:`PyJWK` object, allowed algorithms will default to the key algorithm. |
| 331 | |
| 332 | .. warning:: |
| 333 | |
| 334 | Do **not** compute the ``algorithms`` parameter based on |
| 335 | the ``alg`` from the token itself, or on any other data |
| 336 | that an attacker may be able to influence, as that might |
| 337 | expose you to various vulnerabilities (see `RFC 8725 §2.1 |
| 338 | <https://www.rfc-editor.org/rfc/rfc8725.html#section-2.1>`_). Instead, |
| 339 | either hard-code a fixed value for ``algorithms``, or |
| 340 | configure it in the same place you configure the |
| 341 | ``key``. Make sure not to mix symmetric and asymmetric |
| 342 | algorithms that interpret the ``key`` in different ways |
| 343 | (e.g. HS\\* and RS\\*). |
| 344 | :type algorithms: typing.Sequence[str] or None |
| 345 | |
| 346 | :param jwt.types.Options options: extended decoding and validation options |
| 347 | Refer to :py:class:`jwt.types.Options` for more information. |
| 348 | |
| 349 | :param audience: optional, the value for ``verify_aud`` check |
| 350 | :type audience: str or typing.Iterable[str] or None |
| 351 | :param subject: optional, the value for ``verify_sub`` check |
| 352 | :type subject: str or None |
| 353 | :param issuer: optional, the value for ``verify_iss`` check |
| 354 | :type issuer: str or typing.Container[str] or None |
| 355 | :param leeway: a time margin in seconds for the expiration check |
| 356 | :type leeway: float or datetime.timedelta |
| 357 | :rtype: dict[str, typing.Any] |
| 358 | :returns: the JWT claims |
| 359 | """ |
| 360 | if kwargs: |