+ ~j$^RIHt^RIt^RIt^RIHt^RIHt^RI H t ^RI H t H t ^RIHt^RIHtHt^R IHt^R IHtHt^R IHt!R R 4tR#)) annotationsN) lru_cache) SSLContext)Any) HTTPErrorURLError)urlparse)PyJWKPyJWKSet)decode_complete)PyJWKClientConnectionErrorPyJWKClientError) JWKSetCachec]tRt^tRRRlltRRltRRRlltRRR lltR R ltR R lt ] RRl4t Rt R#) PyJWKClientNc8V^8dQhRRRRRRRRRR R R R R R R/#)uristr cache_keysboolmax_cached_keysint cache_jwk_setlifespanfloatheaderszdict[str, Any] | Nonetimeout ssl_contextzSSLContext | None)formats"d/Users/mitch_tango/dev/rabbit-r1-livekit/agent/.venv/lib/python3.14/site-packages/jwt/jwks_client.py __annotate__PyJWKClient.__annotate__sdV3V3 V3V3 V3  V3  V3'V3V3'V3c  Vf/p\V4PP4p V R9d\RV : R24hWnRVnW`nWpnWnV'd(V^8:d\RV R24h\V4VnMRVnV'd%\VR7!VP4p Wn R#R#)uA client for retrieving signing keys from a JWKS endpoint. ``PyJWKClient`` uses a two-tier caching system to avoid unnecessary network requests: **Tier 1 — JWK Set cache** (enabled by default): Caches the entire JSON Web Key Set response from the endpoint. Controlled by: - ``cache_jwk_set``: Set to ``True`` (the default) to enable this cache. When enabled, the JWK Set is fetched from the network only when the cache is empty or expired. - ``lifespan``: Time in seconds before the cached JWK Set expires. Defaults to ``300`` (5 minutes). Must be greater than 0. **Tier 2 — Signing key cache** (disabled by default): Caches individual signing keys (looked up by ``kid``) using an LRU cache with **no time-based expiration**. Keys are evicted only when the cache reaches its maximum size. Controlled by: - ``cache_keys``: Set to ``True`` to enable this cache. Defaults to ``False``. - ``max_cached_keys``: Maximum number of signing keys to keep in the LRU cache. Defaults to ``16``. :param uri: The URL of the JWKS endpoint. :type uri: str :param cache_keys: Enable the per-key LRU cache (Tier 2). :type cache_keys: bool :param max_cached_keys: Max entries in the signing key LRU cache. :type max_cached_keys: int :param cache_jwk_set: Enable the JWK Set response cache (Tier 1). :type cache_jwk_set: bool :param lifespan: TTL in seconds for the JWK Set cache. :type lifespan: float :param headers: Optional HTTP headers to include in requests. :type headers: dict or None :param timeout: HTTP request timeout in seconds. :type timeout: float :param ssl_context: Optional SSL context for the request. :type ssl_context: ssl.SSLContext or None NzInvalid JWKS URI scheme z(: only 'http' and 'https' are supported.z/Lifespan must be greater than 0, the input is "")maxsize)httphttps) r schemelowerrr jwk_set_cacherrrrrget_signing_key) selfrrrrrrrrr+r.s &&&&&&&&& r"__init__PyJWKClient.__init__sj ?G #%%++- * *"*6*5!" 15  & 1}&EhZqQ"-X!6D !%D  '@AUAUVO#2 r%cV^8dQhRR/#)rreturnrr )r!s"r"r#r$jsCr%c @\PPVPVPR7p\PP WP VPR7;_uu_4p\P!V4pRRR4TP eTP P#X4X# +'giL;;i \\3d<p\T\4'dTP4\RT R24ThRp?ii;i)a5Fetch the JWK Set from the JWKS endpoint. Makes an HTTP request to the configured ``uri`` and returns the parsed JSON response. If the JWK Set cache is enabled, the response is stored in the cache. :returns: The parsed JWK Set as a dictionary. :raises PyJWKClientConnectionError: If the HTTP request fails. )urlr)rcontextNz'Fail to fetch data from the url, err: "r')urllibrequestRequestrrurlopenrrjsonloadr TimeoutError isinstancercloser r-put)r/rresponsejwk_setes& r" fetch_dataPyJWKClient.fetch_datajs &&488T\\&JA''<<1A1A())H-    )    " "7 +#,' !Y'' ,9!A>  s6A2C4B> C> C CCD"6DDc V^8dQhRRRR/#)rrefreshrr3r r )r!s"r"r#r$s((4(H(r%c RpVPe#V'gVPP4pVfVP4p\V\4'g \ R4h\ P!V4#)aReturn the JWK Set, using the cache when available. :param refresh: Force a fresh fetch from the endpoint, bypassing the cache. :type refresh: bool :returns: The JWK Set. :rtype: PyJWKSet :raises PyJWKClientError: If the endpoint does not return a JSON object. Nz.The JWKS endpoint did not return a JSON object)r-getrEr>dictrr from_dict)r/rHdatas&& r" get_jwk_setPyJWKClient.get_jwk_setsf    )'%%))+D <??$D$%%"#ST T!!$''r%c V^8dQhRRRR/#)rrHrr3 list[PyJWK]r )r!s"r"r#r$sr%c VPV4pVPUu.uF,pVPR9gKVP'gK*VNK. ppV'g \ R4hV#uupi)a_Return all signing keys from the JWK Set. Filters the JWK Set to keys whose ``use`` is ``"sig"`` (or unspecified) and that have a ``kid``. :param refresh: Force a fresh fetch from the endpoint, bypassing the cache. :type refresh: bool :returns: A list of signing keys. :rtype: list[PyJWK] :raises PyJWKClientError: If no signing keys are found. z2The JWKS endpoint did not contain any signing keys)sigN)rNkeyspublic_key_usekey_idr)r/rHrC jwk_set_key signing_keyss&& r"get_signing_keysPyJWKClient.get_signing_keysst""7+ '|| + ))]: ?J?Q?Q K+  "#WX X sA)A) A)c V^8dQhRRRR/#)rkidrr3r r )r!s"r"r#r$s35r%c VP4pVPW!4pV'g;VPRR7pVPW!4pV'g\RV R24hV#)aYReturn the signing key matching the given ``kid``. If no match is found in the current JWK Set, the set is refreshed from the endpoint and the lookup is retried once. :param kid: The key ID to look up. :type kid: str :returns: The matching signing key. :rtype: PyJWK :raises PyJWKClientError: If no matching key is found after refreshing. T)rHz,Unable to find a signing key that matches: "r')rY match_kidr)r/r\rX signing_keys&& r"r.PyJWKClient.get_signing_keysh,,. nn\7 000>L..;K&B3%qIr%c V^8dQhRRRR/#)rtokenz str | bytesr3r r )r!s"r"r#r$s 7 7k 7e 7r%c r\VRR/R7pVR,pVPVPR44#)aReturn the signing key for a JWT by reading its ``kid`` header. Extracts the ``kid`` from the token's unverified header and delegates to :meth:`get_signing_key`. :param token: The encoded JWT. :type token: str or bytes :returns: The matching signing key. :rtype: PyJWK verify_signatureF)optionsheaderr\) decode_tokenr.rJ)r/rb unverifiedrfs&& r"get_signing_key_from_jwt$PyJWKClient.get_signing_key_from_jwts:"%2De1LM H%##FJJu$566r%c$V^8dQhRRRRRR/#)rrXrQr\rr3z PyJWK | Noner )r!s"r"r#r$s! #,r%c HRpVFpVPV8XgKTpV# V#)zFind a key in *signing_keys* that matches *kid*. :param signing_keys: The list of keys to search. :type signing_keys: list[PyJWK] :param kid: The key ID to match. :type kid: str :returns: The matching key, or ``None`` if not found. :rtype: PyJWK or None N)rV)rXr\r_keys&& r"r^PyJWKClient.match_kids5 CzzS !   r%)r.rr-rrr)FTi,NN)F) __name__ __module__ __qualname____firstlineno__r0rErNrYr.ri staticmethodr^__static_attributes__r r%r"rrs6V3p>(.28 7r%r) __future__rr;urllib.requestr7 functoolsrsslrtypingr urllib.errorrr urllib.parser api_jwkr r api_jwtr rg exceptionsr rr-rrr r%r"rs5" ,!$4D&eer%