Validate and parse Auth0 JWT token in python

Question

When someone logs in on my website through Auth0, I get a JWT token from Auth0. This token tells me the UID of the person and allows me to make API calls from the frontend to the backend where I can validate the JWT token to make sure the request comes from a logged in user.

On https://jwt.io you can paste any JWT token and it'll parse it and verify the signature.

Does anyone know how I can do this in python?

Auth0 doesn't give me the private key of the JWT token, so I can't use jwt.decode().

Instead I need to somehow parse the JWT token with its public key, but I'm not sure how to retrieve it in python.

This is the JWT token:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImZneF9xWEJVNWt0ZzZXSlNLdTJIdiJ9.eyJuaWNrbmFtZSI6ImpvaG5fbWFyayIsIm5hbWUiOiJqb2huX21hcmtAb3V0bG9vay5jb20iLCJwaWN0dXJlIjoiaHR0cHM6Ly9zLmdyYXZhdGFyLmNvbS9hdmF0YXIvNTMxZmJlZjcxN2I1NzVmYjU3MGJlYzcxNTBlOWQ4MTA_cz00ODAmcj1wZyZkPWh0dHBzJTNBJTJGJTJGY2RuLmF1dGgwLmNvbSUyRmF2YXRhcnMlMkZqby5wbmciLCJ1cGRhdGVkX2F0IjoiMjAyMi0wNC0wNVQxNDoyMzozNy42NTFaIiwiZW1haWwiOiJqb2huX21hcmtAb3V0bG9vay5jb20iLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImlzcyI6Imh0dHBzOi8vZGV2LW44Z2h5a3lvLnVzLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw2MTdiZTllMzJhMmYyNjAwNmEzZDlhM2EiLCJhdWQiOiIwUGwwR1F5cFhjNkZEakxhb0JuSjhzOEtNZjVKZ3J4bSIsImlhdCI6MTY0OTE2ODYyMiwiZXhwIjoxNjQ5MjA0NjIyLCJub25jZSI6IlJuTjBmbFoyU0Vkck4wSkhRV1EyY21FMk1rNUpXVlUzTW1jM2RtaHlXVkJWYm5oalowMUNUR1paU3c9PSJ9.NQBQPoEj6wzYzclrQzXAWh124gyg_Nf1UYZR4lAuqHZ-fdFycrBMA0Y0dBSvQ-WI7YZOMAPjCRK0nuxKzj9kMQ0c-3finCgsl411tX5tvaX_Khe116le_eyBV28aQQLjqT0zvLaSgIYaJqcgshQ1bYvJp8UXPf8GkMWCD89pnqYPwexx9nsWjrnikInLY9oSbWYN1zA7DxwhygI_JeQc6Cvu6pl1xq8m_WZaCMSOJS2umyl_7vfA84cDX1Zz8aVWEOMinnbmR48sY79cEiIMplcYJA3QH4yFEawSWbzWnVUcv9VCgCJ7fCbqikF86fz2TrWYrI6eATJoVHOXDNDKwA

Answer 1

Of course you won't get the private key. But the private key is only used to sign the token. You only need the public key to verify the token. The jwt.decode()function is called decode, but also verifies the token, that's why the key is needed.

The documenation tells you, where to find your JWKS (JSON Web Key Set) with the public key.

Auth0 exposes a JWKS endpoint for each tenant, which is found at https://YOUR_DOMAIN/.well-known/jwks.json. This endpoint will contain the JWK used to verify all Auth0-issued JWTs for this tenant.

The issuer URL is also encoded in the token in the iss claim (you can see it when you inspect your token on https://jwt.io):

in your case: https://dev-n8ghykyo.us.auth0.com/.well-known/jwks.json

You can then retrieve the key from that endpoint with the code shown in this answer