From a3a98c033d013c28b75e3eb2353909bf35206281 Mon Sep 17 00:00:00 2001
From: Davide Scaini <davide.scaini@alumni.cern>
Date: Tue, 2 Jun 2026 14:29:20 +0200
Subject: [PATCH] =?UTF-8?q?auth:=20add=20tokens.py=20=E2=80=94=20HS256=20J?=
 =?UTF-8?q?WT=20sign/verify=20helpers?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bincio/auth/tokens.py | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 bincio/auth/tokens.py

diff --git a/bincio/auth/tokens.py b/bincio/auth/tokens.py
new file mode 100644
index 0000000..93e1bee
--- /dev/null
+++ b/bincio/auth/tokens.py
@@ -0,0 +1,28 @@
+"""JWT helpers for bincio-auth.
+
+Tokens are HS256-signed JWTs.  Consumers validate locally using the shared
+secret — no round-trip to the auth service per request.
+"""
+
+from __future__ import annotations
+
+import time
+
+import jwt
+
+
+def create_token(payload: dict, secret: str, expires_in: int) -> str:
+    """Return a signed JWT.
+
+    Args:
+        payload:    Claims to embed (will be shallow-copied; 'exp' is added).
+        secret:     HS256 signing key.
+        expires_in: Validity window in seconds from now.
+    """
+    claims = {**payload, "exp": int(time.time()) + expires_in}
+    return jwt.encode(claims, secret, algorithm="HS256")
+
+
+def decode_token(token: str, secret: str) -> dict:
+    """Decode and verify a JWT.  Raises jwt.PyJWTError on any failure."""
+    return jwt.decode(token, secret, algorithms=["HS256"])