Module auth_keys 

Per-user JWT signing keypairs.

Each user signs their own tokens with an RSA keypair: the private key lives only in their per-user database (user_auth_keys), the public key in the global users.jwt_public_key directory. Keys are stored as base64-encoded PEM — the same wire form the web layer’s token encode/decode already expects.

Structs

KeyPair

A freshly generated keypair, both halves base64-encoded PEM.

Functions

generate

Generates an RS256 keypair off the async runtime.

private_key_for

Fetches a user’s base64-PEM private signing key from their per-user database (user_auth_keys, a single-row table). Used on the token MINT path after the user has been identified.

public_key_for

Fetches a user’s base64-PEM public verification key from the global users directory. Used on the token VERIFY path, looked up by the (still-unverified) sub claim — so the right key is fetched before the per-user DB is reachable. Returns None if the user is unknown or has no key.