Module auth_keys 

Per-user JWT signing/verification for the web layer.

Tokens are signed with each user’s own RSA key (private key in their per-user DB, public key in the global users directory). This module wraps the server key lookups + the token codec into mint/verify helpers the auth handlers call.

Verification always reads the authoritative public key from the directory — no public-key cache. A cache would risk accepting tokens signed with a rotated/revoked key until process restart; correctness wins over saving one indexed primary-key lookup. The DoS surface of unauthenticated lookups is addressed by rate-limiting the auth endpoints, not by caching.

Enums

MintError

Functions

mint

Mints a token of token_type for user_id, signed with that user’s private key.

secure_cookies

Whether auth cookies should carry the Secure attribute (sent only over HTTPS). Defaults to true; set INSECURE_COOKIES=1 for local plain-HTTP development. Bearer cookies (access/refresh tokens) must be Secure in production so they can’t leak over a downgraded HTTP request.

verify

Verifies a token of the EXPECTED type against its owner’s public key.