Skip to content

feat: add JSON object support for ctx in token generation#237

Open
samsternberg wants to merge 1 commit intoskyflowapi:mainfrom
samsternberg:feat/ctx-json-object-support
Open

feat: add JSON object support for ctx in token generation#237
samsternberg wants to merge 1 commit intoskyflowapi:mainfrom
samsternberg:feat/ctx-json-object-support

Conversation

@samsternberg
Copy link
Copy Markdown

@samsternberg samsternberg commented Mar 30, 2026

Summary

  • Extends bearer token and signed data token generation to accept dict for the ctx field, in addition to the existing str type
  • Enables structured context for conditional data access policies where ctx object keys map to Skyflow CEL policy variables (request.context.role, request.context.department, etc.)
  • Adds _validate_and_resolve_ctx() with key validation (^[a-zA-Z0-9_]+$ for CEL compatibility)
  • PyJWT's jwt.encode() natively serializes dict as a JSON object in JWT payload — no custom serialization needed
  • New error messages: INVALID_CTX_TYPE, INVALID_CTX_MAP_KEY
  • 14+ validation tests passing (None, empty string, valid string, empty dict, valid dict, invalid keys with hyphens/spaces/dots, invalid types int/list, mixed value types, nested objects)
  • Updated README and samples with both string and dict ctx patterns

Test plan

  • All 14 _validate_and_resolve_ctx validation tests pass
  • Full test suite with credentials.json (requires valid service account)
  • Integration test with Skyflow backend using dict ctx in bearer token
  • Verify JWT payload contains ctx as JSON object (not stringified)

Resolves: SK-2681, DOCU-1440

🤖 Generated with Claude Code

@samsternberg @claude
feat: add JSON object support for ctx field in bearer token and signe…
e72b31a 
…d data token generation

Extend the Python SDK's bearer token and signed data token generation to
accept a dict for the ctx field, in addition to the existing string type.
This enables structured context for conditional data access policies where
ctx object keys map to Skyflow CEL policy variables (e.g.,
request.context.role, request.context.department).

Changes:
- _utils.py: add _validate_and_resolve_ctx() function with key validation
  (^[a-zA-Z0-9_]+$), update get_signed_jwt() and get_signed_tokens() to
  validate and conditionally include ctx in JWT claims
- _skyflow_messages.py: add INVALID_CTX_TYPE and INVALID_CTX_MAP_KEY errors
- Tests: add 14+ validation test cases for dict ctx, invalid keys, invalid
  types, empty dict, nested objects, mixed value types
- Samples: add JSON object context examples for both bearer and signed tokens
- README: document both string and dict ctx patterns with CEL policy
  variable mapping

Technical note: PyJWT's jwt.encode() already handles both types — a string
serializes as a JSON string, a dict serializes as a JSON object in the JWT
payload. The main addition is proper validation and error handling.

Resolves: SK-2681, DOCU-1440

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@samsternberg