nat.authentication.jwt_utils

Lightweight JWT extraction and decoding utilities for identity resolution (RFC 7519).

Functions

extract_bearer_token(→ str | None)	Extract the raw Bearer token string from an HTTP header.
decode_jwt_claims_unverified(→ dict[str, Any])	Decode JWT claims without signature verification (RFC 7519 Section 7.2).

Module Contents

extract_bearer_token(

connection: starlette.requests.Request | fastapi.WebSocket,

*,

header: str = 'authorization',

) → str | None

Extract the raw Bearer token string from an HTTP header.

Args:

connection: The incoming Starlette Request or WebSocket. header: Header name to read the Bearer token from (case-insensitive).

Returns:

The raw token string, or None if no valid Bearer token is present.

decode_jwt_claims_unverified(token: str) → dict[str, Any]

Decode JWT claims without signature verification (RFC 7519 Section 7.2).

Intended for identity extraction only — callers are responsible for authenticating/verifying tokens via JWKS, OAuth flows, or other auth middleware before trusting the claims.

Args:

token: A raw JWT string (three dot-separated parts per RFC 7519 Section 3).

Returns:

The decoded claims dictionary.

Raises:

ValueError: If the token is empty, structurally malformed,

or cannot be decoded.