# IAP JWT
[](https://github.com/ryo33/iap-jwt)
[](https://crates.io/crates/iap_jwt)
[](https://docs.rs/iap_jwt)
Validate and decode Google Cloud Identity-Aware Proxy (IAP) JWTs
## Features
- Validate and decode JWTs issued by Google IAP <https://cloud.google.com/iap/docs/signed-headers-howto>
- Verify JWT signature using public keys from Google retrieved from the JWKS endpoint
- Validate standard claims like `exp`, `iat`, `aud`, `iss`
- Validate Google-specific claims like `hd` (hosted domain) and access levels
- Injectable public key retrieval and caching for testability
- Customizable validation options
## Installation
```sh
cargo add iap-jwt
```
Two crypto backends are available via features, `aws_lc_rs` and `rust_crypto` (default), exactly one of which must be enabled.
To use `aws_lc_rs` instead:
```sh
cargo add iap-jwt --no-default-features --features reqwest,aws_lc_rs
```
## Usage
```rust
use iap_jwt::{ValidationConfig};
let token = "..."; // JWT token from IAP
// reqwest Client implements iap_jwt::PublicKeySource with `reqwest` feature enabled (enabled by default)
let client = reqwest::Client::new();
let config = ValidationConfig::new(["/projects/1234567890/global/backendServices/test-service-id"])
.with_google_hosted_domain(["example.com"])
.with_access_levels(["ADMIN"]);
let claims = config.decode_and_validate(token, &client).await?;
println!("Authenticated user: {}", claims.sub);
```
## License
This project is licensed under either of the following licenses, at your option:
- Apache-2.0
- MIT