Implement JWT feature in batch sdk (#16)

Author: dumitrugutu

sdk/batch/README.md

@@ -36,6 +36,25 @@ async def main():
 asyncio.run(main())
 ```
 
+## JWT Authentication
+
+For enhanced security, use temporary JWT tokens instead of static API keys.
+JWTs are short-lived (60 seconds default) and automatically refreshed:
+
+```python
+from speechmatics.batch import AsyncClient, JWTAuth
+
+auth = JWTAuth("your-api-key", ttl=60)
+
+async with AsyncClient(auth=auth) as client:
+    # Tokens are cached and auto-refreshed automatically
+    result = await client.transcribe("audio.wav")
+    print(result.transcript_text)
+```
+
+Ideal for long-running applications or when minimizing API key exposure.
+See the [authentication documentation](https://docs.speechmatics.com/introduction/authentication) for more details.
+
 ### Basic Job Workflow
 
 ```python

sdk/batch/speechmatics/batch/__init__.py

@@ -1,6 +1,9 @@
 __version__ = "0.0.0"
 
 from ._async_client import AsyncClient
+from ._auth import AuthBase
+from ._auth import JWTAuth
+from ._auth import StaticKeyAuth
 from ._exceptions import AuthenticationError
 from ._exceptions import BatchError
 from ._exceptions import ConfigurationError
@@ -24,6 +27,9 @@
 
 __all__ = [
     "AsyncClient",
+    "AuthBase",
+    "JWTAuth",
+    "StaticKeyAuth",
     "ConfigurationError",
     "AuthenticationError",
     "ConnectionError",

sdk/batch/speechmatics/batch/_async_client.py

@@ -15,9 +15,10 @@
 from typing import Optional
 from typing import Union
 
+from ._auth import AuthBase
+from ._auth import StaticKeyAuth
 from ._exceptions import AuthenticationError
 from ._exceptions import BatchError
-from ._exceptions import ConfigurationError
 from ._exceptions import JobError
 from ._exceptions import TimeoutError
 from ._helpers import prepare_audio_file
@@ -48,12 +49,13 @@ class AsyncClient:
     4. Proper cleanup and error handling
 
     Args:
-        api_key: Speechmatics API key for authentication. If not provided,
-                uses the SPEECHMATICS_API_KEY environment variable.
+        auth: Authentication instance. If not provided, uses StaticKeyAuth
+              with api_key parameter or SPEECHMATICS_API_KEY environment variable.
+        api_key: Speechmatics API key (used only if auth not provided).
         url: REST API endpoint URL. If not provided, uses SPEECHMATICS_BATCH_URL
              environment variable or defaults to production endpoint.
         conn_config: Complete connection configuration object. If provided, overrides
-               api_key and url parameters.
+               other parameters.
 
     Raises:
         ConfigurationError: If required configuration is missing or invalid.
@@ -65,26 +67,17 @@ class AsyncClient:
             ...     result = await client.wait_for_completion(job.id)
             ...     print(result.transcript)
 
-        With custom configuration:
-            >>> config = ConnectionConfig(
-            ...     url="https://asr.api.speechmatics.com/v2",
-            ...     api_key="your-key",
-            ... )
-            >>> async with AsyncClient(conn_config=config) as client:
-            ...     # Use client with custom settings
+        With JWT authentication:
+            >>> from speechmatics.batch import JWTAuth
+            >>> auth = JWTAuth("your-api-key", ttl=3600)
+            >>> async with AsyncClient(auth=auth) as client:
+            ...     # Use client with JWT auth
             ...     pass
-
-        Manual resource management:
-            >>> client = AsyncClient(api_key="your-key")
-            >>> try:
-            ...     job = await client.submit_job("audio.wav")
-            ...     result = await client.wait_for_completion(job.id)
-            ... finally:
-            ...     await client.close()
     """
 
     def __init__(
         self,
+        auth: Optional[AuthBase] = None,
         *,
         api_key: Optional[str] = None,
         url: Optional[str] = None,
@@ -94,30 +87,24 @@ def __init__(
         Initialize the AsyncClient.
 
         Args:
+            auth: Authentication method, it can be StaticKeyAuth or JWTAuth.
+                If None, creates StaticKeyAuth with the api_key.
             api_key: Speechmatics API key. If None, uses SPEECHMATICS_API_KEY env var.
             url: REST API endpoint URL. If None, uses SPEECHMATICS_BATCH_URL env var
                  or defaults to production endpoint.
-            conn_config: Complete connection configuration. Overrides api_key and url.
+            conn_config: Complete connection configuration.
 
         Raises:
-            ConfigurationError: If API key is not provided and not found in environment.
+            ConfigurationError: If auth is None and API key is not provided/found.
         """
-        # Set up configuration
-        if conn_config:
-            self._conn_config = conn_config
-        else:
-            api_key = api_key or os.environ.get("SPEECHMATICS_API_KEY")
-            if not api_key:
-                raise ConfigurationError("API key required: provide api_key parameter or set SPEECHMATICS_API_KEY")
-
-            final_url = url or os.environ.get("SPEECHMATICS_BATCH_URL") or "https://asr.api.speechmatics.com/v2"
-            self._conn_config = ConnectionConfig(url=final_url, api_key=api_key)
-
+        self._auth = auth or StaticKeyAuth(api_key)
+        self._url = url or os.environ.get("SPEECHMATICS_BATCH_URL") or "https://asr.api.speechmatics.com/v2"
+        self._conn_config = conn_config or ConnectionConfig()
         self._request_id = str(uuid.uuid4())
-        self._transport = Transport(self._conn_config, self._request_id)
-        self._logger = get_logger(__name__)
+        self._transport = Transport(self._url, self._conn_config, self._auth, self._request_id)
 
-        self._logger.debug("AsyncClient initialized (request_id=%s, url=%s)", self._request_id, self._conn_config.url)
+        self._logger = get_logger(__name__)
+        self._logger.debug("AsyncClient initialized (request_id=%s, url=%s)", self._request_id, self._url)
 
     async def __aenter__(self) -> AsyncClient:
         """

sdk/batch/speechmatics/batch/_auth.py

@@ -0,0 +1,162 @@
+import abc
+import asyncio
+import os
+import time
+from typing import Literal
+from typing import Optional
+
+from ._exceptions import AuthenticationError
+
+
+class AuthBase(abc.ABC):
+    """
+    Abstract base class for authentication methods.
+    """
+
+    BASE_URL = "https://mp.speechmatics.com"
+
+    @abc.abstractmethod
+    async def get_auth_headers(self) -> dict[str, str]:
+        """
+        Get authentication headers asynchronously.
+
+        Returns:
+            A dictionary of authentication headers.
+        """
+        raise NotImplementedError
+
+
+class StaticKeyAuth(AuthBase):
+    """
+    Authentication using a static API key.
+
+    This is the traditional authentication method where the same
+    API key is used for all requests.
+
+    Args:
+        api_key: The Speechmatics API key.
+
+    Examples:
+        >>> auth = StaticKeyAuth("your-api-key")
+        >>> headers = await auth.get_auth_headers()
+        >>> print(headers)
+        {'Authorization': 'Bearer your-api-key'}
+    """
+
+    def __init__(self, api_key: Optional[str] = None):
+        self._api_key = api_key or os.environ.get("SPEECHMATICS_API_KEY")
+
+        if not self._api_key:
+            raise ValueError("API key required: provide api_key or set SPEECHMATICS_API_KEY")
+
+    async def get_auth_headers(self) -> dict[str, str]:
+        return {"Authorization": f"Bearer {self._api_key}"}
+
+
+class JWTAuth(AuthBase):
+    """
+    Authentication using temporary JWT tokens.
+
+    Generates short-lived JWTs for enhanced security.
+
+    Args:
+        api_key: The main Speechmatics API key used to generate JWTs.
+        ttl: Time-to-live for tokens between 60 and 86400 seconds.
+            For security reasons, we suggest using the shortest TTL possible.
+        region: Self-Service customers are restricted to "eu".
+            Enterprise customers can use this to specify which region the temporary key should be enabled in.
+        client_ref: Optional client reference for JWT token.
+            This parameter must be used if the temporary keys are exposed to the end-user's client
+            to prevent a user from accessing the data of a different user.
+        mp_url: Optional management platform URL override.
+        request_id: Optional request ID for debugging purposes.
+
+    Examples:
+        >>> auth = JWTAuth("your-api-key")
+        >>> headers = await auth.get_auth_headers()
+        >>> print(headers)
+        {'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIs...'}
+    """
+
+    def __init__(
+        self,
+        api_key: Optional[str] = None,
+        *,
+        ttl: int = 60,
+        region: Literal["eu", "usa", "au"] = "eu",
+        client_ref: Optional[str] = None,
+        mp_url: Optional[str] = None,
+        request_id: Optional[str] = None,
+    ):
+        self._api_key = api_key or os.environ.get("SPEECHMATICS_API_KEY")
+        self._ttl = ttl
+        self._region = region
+        self._client_ref = client_ref
+        self._request_id = request_id
+        self._mp_url = mp_url or os.getenv("SM_MANAGEMENT_PLATFORM_URL", self.BASE_URL)
+
+        if not self._api_key:
+            raise ValueError(
+                "API key required: please provide api_key or set SPEECHMATICS_API_KEY environment variable"
+            )
+
+        if not 60 <= self._ttl <= 86_400:
+            raise ValueError("ttl must be between 60 and 86400 seconds")
+
+        self._cached_token: Optional[str] = None
+        self._token_expires_at: float = 0
+        self._token_lock = asyncio.Lock()
+
+    async def get_auth_headers(self) -> dict[str, str]:
+        """Get JWT auth headers with caching."""
+        async with self._token_lock:
+            current_time = time.time()
+            if current_time >= self._token_expires_at - 10:
+                self._cached_token = await self._generate_token()
+                self._token_expires_at = current_time + self._ttl
+
+            return {"Authorization": f"Bearer {self._cached_token}"}
+
+    async def _generate_token(self) -> str:
+        try:
+            import aiohttp
+        except ImportError:
+            raise ImportError(
+                "aiohttp is required for JWT authentication. Please install it with `pip install 'speechmatics-batch[jwt]'`"
+            )
+
+        endpoint = f"{self._mp_url}/v1/api_keys"
+        params = {"type": "batch"}
+        payload = {"ttl": self._ttl, "region": str(self._region)}
+
+        if self._client_ref:
+            payload["client_ref"] = self._client_ref
+
+        headers = {
+            "Authorization": f"Bearer {self._api_key}",
+            "Content-Type": "application/json",
+        }
+
+        if self._request_id:
+            headers["X-Request-Id"] = self._request_id
+
+        try:
+            async with aiohttp.ClientSession() as session:
+                async with session.post(
+                    endpoint,
+                    params=params,
+                    json=payload,
+                    headers=headers,
+                    timeout=aiohttp.ClientTimeout(total=10),
+                ) as response:
+                    if response.status != 201:
+                        text = await response.text()
+                        raise AuthenticationError(f"Failed to generate JWT: HTTP {response.status}: {text}")
+
+                    data = await response.json()
+                    return str(data["key_value"])
+
+        except aiohttp.ClientError as e:
+            raise AuthenticationError(f"Network error generating JWT: {e}")
+        except Exception as e:
+            raise AuthenticationError(f"Unexpected error generating JWT: {e}")

sdk/batch/speechmatics/batch/_helpers.py

@@ -50,29 +50,12 @@ async def prepare_audio_file(audio_file: Union[str, BinaryIO]) -> AsyncGenerator
 
 
 def get_version() -> str:
-    """
-    Get SDK version from package metadata or __init__.py file.
-
-    Returns:
-        Version string
-    """
     try:
         return importlib.metadata.version("speechmatics-batch")
     except importlib.metadata.PackageNotFoundError:
         try:
-            # Import from the same package
             from . import __version__
 
             return __version__
         except ImportError:
-            # Fallback: read __init__.py file directly
-            try:
-                init_path = os.path.join(os.path.dirname(__file__), "__init__.py")
-                with open(init_path, encoding="utf-8") as f:
-                    for line in f:
-                        if line.strip().startswith("__version__"):
-                            # Extract version string from __version__ = "x.x.x"
-                            return line.split("=")[1].strip().strip('"').strip("'")
-            except (FileNotFoundError, IndexError, AttributeError):
-                pass
-        return "0.0.0"
+            return "0.0.0"

sdk/batch/speechmatics/batch/_models.py

@@ -737,17 +737,12 @@ class ConnectionConfig:
     """
     Configuration for HTTP connection parameters.
 
-    This class defines all connection-related settings including URL,
-    authentication, and timeouts.
+    This class defines connection-related settings and timeouts.
 
     Attributes:
-        url: Base URL for the Speechmatics Batch API.
-        api_key: Speechmatics API key for authentication.
         connect_timeout: Timeout in seconds for connection establishment.
         operation_timeout: Default timeout for API operations.
     """
 
-    url: str = "https://asr.api.speechmatics.com/v2"
-    api_key: str = ""
     connect_timeout: float = 30.0
     operation_timeout: float = 300.0