Overview
authfort-service is a lightweight JWT verifier for microservices. It validates tokens issued by an AuthFort server without needing database access.
When to Use It
Section titled “When to Use It”Use authfort-service when you have a separate service that needs to verify users but doesn’t manage authentication itself. For example:
- An orders service that needs to know who the user is
- An analytics API that requires admin access
- A notifications service that processes user-specific data
These services don’t need to know about passwords, sessions, or OAuth — they just need to verify that a request comes from an authenticated user.
How It Works
Section titled “How It Works”- Your auth server (running
authfort) issues JWTs and publishes public keys at/.well-known/jwks.json - Your microservice (running
authfort-service) fetches the public keys from JWKS - When a request comes in, it verifies the JWT signature using the cached public key
- No database or network call needed for verification (keys are cached)
Quick Start
Section titled “Quick Start”from authfort_service import ServiceAuth
service = ServiceAuth(
jwks_url="https://auth.example.com/.well-known/jwks.json",
issuer="authfort",
)
payload = await service.verify_token(token)
print(payload.sub) # user ID
print(payload.roles) # ["admin", "editor"]from authfort_service import ServiceAuth
service = ServiceAuth(
jwks_url="https://auth.example.com/.well-known/jwks.json",
issuer="authfort",
)
payload = await service.verify_token(token)
print(payload.sub) # user ID
print(payload.roles) # ["admin", "editor"]Verification Modes
Section titled “Verification Modes”| Mode | How | Latency | Real-time Revocation |
|---|---|---|---|
| JWKS only | Verify signature locally | None (cached keys) | No — tokens valid until expiry |
| JWKS + Introspection | Verify signature, then check auth server | 1 network call | Yes — checks ban, session, version |
JWKS-only is the default. Add introspection when you need real-time revocation checks (e.g., for sensitive operations).