ubl-auth

Strict EdDSA (Ed25519) JWT/JWKS verification for OIDC-style flows. DID-first: expects sub to be a DID (e.g., did:key:z... / did:web:...).

• Enforces alg = "EdDSA"
• Validates exp / nbf / iat with leeway (default 300s)
• Optional iss and aud checks via VerifyOptions
• Built-in JWKS cache (TTL)
• Zero unsafe

Install

[dependencies]
ubl-auth = "0.1.1"

Quickstart

use ubl_auth::{verify_ed25519_jwt_with_jwks, VerifyOptions};

let token = std::env::var("UBL_TOKEN")?;
let jwks_uri = "https://id.ubl.agency/.well-known/jwks.json";
let opts = VerifyOptions::default().with_issuer("https://id.ubl.agency");

let claims = verify_ed25519_jwt_with_jwks(&token, jwks_uri, &opts)?;
assert!(claims.sub.starts_with("did:"));
# Ok::<(), anyhow::Error>(())