ubl-auth 0.1.2

DID-first Ed25519 JWT/JWKS verification for OIDC-style flows. Enforces alg=EdDSA, checks exp/nbf/iat, JWKS cache.
Documentation

ubl-auth

Strict EdDSA (Ed25519) JWT/JWKS verification for OIDC-style flows. DID-first: expects sub to be a DID (e.g., did:key:z... / did:web:...).

  • Enforces alg = "EdDSA"
  • Validates exp / nbf / iat with leeway (default 300s)
  • Optional iss and aud checks via VerifyOptions
  • Built-in JWKS cache (TTL)
  • Zero unsafe

Install

[dependencies]
ubl-auth = "0.1.1"

Quickstart

use ubl_auth::{verify_ed25519_jwt_with_jwks, VerifyOptions};

let token = std::env::var("UBL_TOKEN")?;
let jwks_uri = "https://id.ubl.agency/.well-known/jwks.json";
let opts = VerifyOptions::default().with_issuer("https://id.ubl.agency");

let claims = verify_ed25519_jwt_with_jwks(&token, jwks_uri, &opts)?;
assert!(claims.sub.starts_with("did:"));
# Ok::<(), anyhow::Error>(())