praetorian-cli 2.2.1__tar.gz → 2.2.3__tar.gz

{praetorian_cli-2.2.1/praetorian_cli.egg-info → praetorian_cli-2.2.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: praetorian-cli
-Version: 2.2.1
+Version: 2.2.3
 Summary: For interacting with the Chariot API
 Home-page: https://github.com/praetorian-inc/praetorian-cli
 Author: Praetorian
@@ -17,6 +17,9 @@ Requires-Dist: requests>=2.31.0
 Requires-Dist: pytest>=8.0.2
 Requires-Dist: mcp>=1.12.2
 Requires-Dist: anyio>=3.0.0
+Requires-Dist: textual>=0.47.0
+Requires-Dist: rich>=13.0.0
+Requires-Dist: prompt_toolkit>=3.0.0
 Dynamic: license-file
 
 # Praetorian CLI and SDK

{praetorian_cli-2.2.1 → praetorian_cli-2.2.3}/praetorian_cli/handlers/add.py

@@ -196,21 +196,39 @@ def attribute(sdk, key, name, value):
 
 @add.command()
 @cli_handler
-@click.option('-d', '--dns', required=True, help='The DNS of the asset')
+@click.option('-t', '--type', 'seed_type', default='asset', help='Asset type (e.g., asset, addomain)')
 @click.option('-s', '--status', type=click.Choice([s.value for s in Seed]),
               default=Seed.PENDING.value, help='The status of the seed', show_default=True)
-def seed(sdk, dns, status):
+@click.option('-f', '--field', 'field_list', multiple=True, 
+              help='Field in format name:value (can be specified multiple times)')
+def seed(sdk, seed_type, status, field_list):
     """ Add a seed
 
-    Add a seed to the Chariot database. This command requires DNS of the seed to be
-    specified. When status is not specified, the seed is added as PENDING.
+    Add a seed to the Chariot database. Seeds are now assets with special labeling.
+    You can specify the asset type and provide dynamic fields using --fields.
 
     \b
     Example usages:
-        - praetorian chariot add seed --dns example.com
-        - praetorian chariot add seed --dns example.com --status A
+        - praetorian chariot add seed --type asset --field dns:example.com
+        - praetorian chariot add seed --type asset --field dns:example.com --status A
+        - praetorian chariot add seed --type asset --field dns:example.com --field name:1.2.3.4
+        - praetorian chariot add seed --type addomain --field domain:corp.local --field objectid:S-1-5-21-2701466056-1043032755-2418290285
     """
-    sdk.seeds.add(dns, status)
+    # Collect dynamic fields from the --fields option
+    dynamic_fields = {}
+    
+    # Parse field_list entries (name:value format)
+    for field in field_list:
+        if ':' in field:
+            # Split only once to allow colons in the value
+            name, value = field.split(':', 1)
+            dynamic_fields[name] = value
+        else:
+            error(f"Field '{field}' is not in the format name:value")
+            return
+    
+    # Call the updated add method with type and dynamic fields
+    sdk.seeds.add(status=status, seed_type=seed_type, **dynamic_fields)
 
 
 @add.command()

praetorian_cli-2.2.3/praetorian_cli/handlers/aegis.py

@@ -0,0 +1,107 @@
+import click
+from praetorian_cli.handlers.chariot import chariot
+from praetorian_cli.handlers.cli_decorators import cli_handler
+
+
+@chariot.group(invoke_without_command=True)
+@cli_handler
+@click.pass_context
+def aegis(ctx, sdk):
+    """Aegis management commands"""
+    if ctx.invoked_subcommand is None:
+        # No subcommand was invoked, run the default interactive interface
+        from praetorian_cli.ui.aegis.menu import run_aegis_menu
+        run_aegis_menu(sdk)
+
+
+# Add the shared commands to the CLI group
+# Each shared command gets wrapped to inject the CLI context
+
+@aegis.command('list')
+@cli_handler
+@click.option('--details', is_flag=True, help='Show detailed agent information')
+@click.option('--filter', help='Filter agents by hostname or other properties')
+@click.pass_context
+def list_agents(ctx, sdk, details, filter):
+    """List Aegis agents with optional details"""
+    click.echo(sdk.aegis.format_agents_list(details=details, filter_text=filter))
+
+
+@aegis.command('ssh')
+@cli_handler
+@click.argument('client_id', required=True)
+@click.option('-u', '--user', help='SSH username (prepends user@ to hostname)')
+@click.argument('args', nargs=-1)
+@click.pass_context
+def ssh(ctx, sdk, client_id, user, args):
+    """Connect to an Aegis agent via SSH.
+
+    Pass native ssh flags after client_id; they are forwarded to ssh.
+
+    Common options (forwarded to ssh):
+      -L [bind_address:]port:host:hostport   Local port forward (repeatable)
+      -R [bind_address:]port:host:hostport   Remote port forward (repeatable)
+      -D [bind_address:]port                 Dynamic SOCKS proxy
+      -i IDENTITY_FILE                       Identity (private key) file
+      -l USER                                Remote username (alternative to -u/--user)
+      -o OPTION=VALUE                        Extra ssh config option
+      -p PORT                                SSH port
+      -v/-vv/-vvv                            Verbose output
+    """
+    agent = sdk.aegis.get_by_client_id(client_id)
+    if not agent:
+        click.echo(f"Agent not found: {client_id}", err=True)
+        return
+
+    options = list(args)
+    sdk.aegis.ssh_to_agent(agent=agent, options=options, user=user, display_info=True)
+
+
+@aegis.command('job')
+@cli_handler
+@click.option('-c', '--capability', 'capabilities', multiple=True, help='Capability to run (e.g., windows-smb-snaffler)')
+@click.option('--config', help='JSON configuration string for the job')
+@click.argument('client_id', required=True)
+@click.pass_context
+def job(ctx, sdk, capabilities, config, client_id):
+    """Run a job on an Aegis agent"""
+    agent = sdk.aegis.get_by_client_id(client_id)
+    if not agent:
+        click.echo(f"Agent not found: {client_id}", err=True)
+        return
+    
+    try:
+        result = sdk.aegis.run_job(
+            agent,
+            list(capabilities) if capabilities else None,
+            config
+        )
+
+        if 'capabilities' in result:
+            click.echo("Available capabilities:")
+            for cap in result['capabilities']:
+                name = cap.get('name', 'unknown')
+                desc = cap.get('description', '')[:50]
+                click.echo(f"  {name:<25} {desc}")
+        elif result.get('success'):
+            click.echo("✓ Job queued successfully")
+            click.echo(f"  Job ID: {result.get('job_id', 'unknown')}")
+            click.echo(f"  Status: {result.get('status', 'unknown')}")
+        else:
+            click.echo("Error: Unknown error", err=True)
+    except Exception as e:
+        click.echo(f"Error: {e}", err=True)
+
+
+@aegis.command('info')
+@cli_handler
+@click.argument('client_id', required=True)
+@click.pass_context
+def info(ctx, sdk, client_id):
+    """Show detailed information for an agent"""
+    agent = sdk.aegis.get_by_client_id(client_id)
+    if not agent:
+        click.echo(f"Agent not found: {client_id}", err=True)
+        return
+    
+    click.echo(agent.to_detailed_string())

{praetorian_cli-2.2.1 → praetorian_cli-2.2.3}/praetorian_cli/handlers/delete.py

@@ -88,11 +88,12 @@ def seed(chariot, key):
 
     \b
     Arguments:
-        - KEY: the key of an existing seed
+        - KEY: the key of an existing seed (now uses asset key format)
 
     \b
     Example usage:
-        - praetorian chariot delete seed "#seed#domain#example.com"
+        - praetorian chariot delete seed "#asset#example.com#example.com"
+        - praetorian chariot delete seed "#addomain#corp.local#corp.local"
     """
     chariot.seeds.delete(key)
 

{praetorian_cli-2.2.1 → praetorian_cli-2.2.3}/praetorian_cli/handlers/get.py

@@ -186,11 +186,12 @@ def seed(chariot, key):
 
     \b
     Argument:
-        - KEY: the key of an existing pre-seed
+        - KEY: the key of an existing seed (now uses asset key format)
 
     \b
     Example usages:
-        - praetorian chariot get preseed "#preseed#domain#example.com"
+        - praetorian chariot get seed "#asset#example.com#example.com"
+        - praetorian chariot get seed "#addomain#corp.local#corp.local"
     """
     print_json(chariot.seeds.get(key))
 
@@ -278,3 +279,48 @@ def credential(chariot, credential_id, category, type, format, parameters):
     result = chariot.credentials.get(credential_id, category, type, [format], **params)
     output = chariot.credentials.format_output(result)
     click.echo(output)
+
+
+@get.command()
+@cli_handler
+@click.argument('key', required=True)
+def scanner(chariot, key):
+    """ Get scanner details
+
+    \b
+    Argument:
+        - KEY: the key of an existing scanner record
+
+    \b
+    Example usage:
+        - praetorian chariot get scanner "#scanner#127.0.0.1"
+    """
+    print_json(chariot.scanners.get(key))
+
+
+@get.command()
+@cli_handler
+@click.option('-t', '--type', help='Optional specific entity type (e.g., asset, risk, attribute)')
+@click.option('-d', '--details', is_flag=True, help='Further retrieve the details of the schema')
+def schema(chariot, type, details):
+    """ Get Chariot entity schema
+
+    \b
+    Returns the JSON schema for Chariot entities. Optionally filter for a
+    specific entity type.
+
+    \b
+    Example usages:
+        - praetorian chariot get schema
+        - praetorian chariot get schema --type asset
+        - praetorian chariot get schema --type asset --details
+    """
+    data = chariot.schema.get(type)
+    if type:
+        data = {type: data[type]}
+
+    if details:
+        print_json(data)
+    else:
+        for hit in data:
+            click.echo(hit)

{praetorian_cli-2.2.1 → praetorian_cli-2.2.3}/praetorian_cli/handlers/list.py

@@ -26,7 +26,7 @@ def assets(chariot, filter, model_type, details, offset, page):
         - praetorian chariot list assets --page all
         - praetorian chariot list assets --type repository
     """
-    render_list_results(chariot.assets.list(filter, model_type, offset, pagination_size(page)), details)
+    render_list_results(chariot.assets.list(filter, model_type, pagination_size(page)), details)
 
 
 @list.command()
@@ -64,6 +64,22 @@ def accounts(chariot, filter, details, offset, page):
     render_list_results(chariot.accounts.list(filter, offset, pagination_size(page)), details)
 
 
+@list.command()
+@list_params('Aegis ID', has_filter=False)
+def aegis(chariot, details, offset, page):
+    """ List Aegis
+
+    Retrieve and display a list of Aegis instances.
+
+    \b
+    Example usages:
+        - praetorian chariot list aegis
+        - praetorian chariot list aegis --details
+        - praetorian chariot list aegis --page all
+    """
+    render_list_results(chariot.aegis.list(offset, pagination_size(page)), details)
+
+
 @list.command()
 @list_params('integration name')
 def integrations(chariot, filter, details, offset, page):
@@ -162,24 +178,23 @@ def attributes(chariot, filter, key, details, offset, page):
 
 @list.command()
 @list_params('DNS')
-@click.option('-t', '--type', type=click.Choice(['ip', 'domain']), help=f'Filter by type of the seeds')
+@click.option('-t', '--type', help='Filter by seed type (e.g., asset, addomain)')
 def seeds(chariot, type, filter, details, offset, page):
     """ List seeds
 
-   	Retrieve and display a list of seeds.
+   	Retrieve and display a list of seeds. Seeds are now assets with the 'Seed' label.
 
     \b
     Example usages:
         - praetorian chariot list seeds
-        - praetorian chariot list seeds --type ip
-        - praetorian chariot list seeds --type domain --filter example.com
+        - praetorian chariot list seeds --type asset
+        - praetorian chariot list seeds --type addomain
+        - praetorian chariot list seeds --type asset --filter example.com
         - praetorian chariot list seeds --details
         - praetorian chariot list seeds --page all
     """
-    if filter and not type:
-        error('When the DNS filter is specified, you also need to specify the type of the filter: ip or domain.')
-
-    render_list_results(chariot.seeds.list(type, filter, offset, pagination_size(page)), details)
+    # Note: filter restriction removed since we're using different key format now
+    render_list_results(chariot.seeds.list(type, filter, pagination_size(page)), details)
 
 
 @list.command()
@@ -336,3 +351,20 @@ def capabilities(chariot, name, target, executor):
         - praetorian chariot list capabilities --name nuclei --target attribute --executor chariot
     """
     print_json(chariot.capabilities.list(name, target, executor))
+
+
+@list.command()
+@list_params('IP address')
+def scanners(chariot, filter, details, offset, page):
+    """ List scanners
+
+    Retrieve and display a list of scanner records that track IP addresses used by chariot.
+
+    \b
+    Example usages:
+        - praetorian chariot list scanners
+        - praetorian chariot list scanners --filter 127.0.0.1
+        - praetorian chariot list scanners --details
+        - praetorian chariot list scanners --page all
+    """
+    render_list_results(chariot.scanners.list(filter, offset, pagination_size(page)), details)

praetorian_cli-2.2.3/praetorian_cli/handlers/ssh_utils.py

@@ -0,0 +1,154 @@
+"""
+Shared SSH utilities for Aegis CLI and TUI commands
+"""
+
+from typing import List, Dict, Optional
+from praetorian_cli.sdk.model.aegis import Agent
+
+
+class SSHArgumentParser:
+    """Shared SSH argument parser for both CLI and TUI interfaces"""
+    
+    def __init__(self, console=None):
+        self.console = console
+    
+    def parse_ssh_args(self, args: List[str]) -> Optional[Dict]:
+        """
+        Parse SSH command arguments and return options dict
+        Returns None if parsing fails with error messages displayed
+        """
+        options = {
+            'local_forward': [],
+            'remote_forward': [],
+            'dynamic_forward': None,
+            'key': None,
+            'ssh_opts': None,
+            'user': None,
+            'passthrough': []  # collect unknown flags to pass through
+        }
+        
+        i = 0
+        while i < len(args):
+            arg = args[i]
+            
+            if arg in ['-L', '-l', '--local-forward']:
+                if i + 1 >= len(args):
+                    self._print_error("Error: -L requires a port forwarding specification")
+                    self._print_error("Example: ssh -L 8080:localhost:80", dim=True)
+                    return None
+                options['local_forward'].append(args[i + 1])
+                i += 2
+                
+            elif arg in ['-R', '-r', '--remote-forward']:
+                if i + 1 >= len(args):
+                    self._print_error("Error: -R requires a port forwarding specification")
+                    self._print_error("Example: ssh -R 9090:localhost:3000", dim=True)
+                    return None
+                options['remote_forward'].append(args[i + 1])
+                i += 2
+                
+            elif arg in ['-D', '-d', '--dynamic-forward']:
+                if i + 1 >= len(args):
+                    self._print_error("Error: -D requires a port number")
+                    self._print_error("Example: ssh -D 1080", dim=True)
+                    return None
+                try:
+                    port = int(args[i + 1])
+                    if port < 1 or port > 65535:
+                        raise ValueError()
+                    options['dynamic_forward'] = str(port)
+                except ValueError:
+                    self._print_error(f"Error: Invalid port number '{args[i + 1]}'")
+                    self._print_error("Port must be a number between 1 and 65535", dim=True)
+                    return None
+                i += 2
+                
+            elif arg in ['-i', '-I', '--key']:
+                if i + 1 >= len(args):
+                    self._print_error("Error: -i requires a key file path")
+                    self._print_error("Example: ssh -i ~/.ssh/my_key", dim=True)
+                    return None
+                options['key'] = args[i + 1]
+                i += 2
+                
+            elif arg in ['-u', '-U', '--user']:
+                if i + 1 >= len(args):
+                    self._print_error("Error: -u requires a username")
+                    self._print_error("Example: ssh -u root", dim=True)
+                    return None
+                options['user'] = args[i + 1]
+                i += 2
+                
+            elif arg.startswith('-'):
+                # Collect unknown options and their arguments if any
+                options['passthrough'].append(arg)
+                # If next token is a value and current looks like expects arg (heuristic), include it
+                if i + 1 < len(args) and not args[i + 1].startswith('-'):
+                    options['passthrough'].append(args[i + 1])
+                    i += 2
+                else:
+                    i += 1
+            else:
+                self._print_error(f"Error: Unexpected argument '{arg}'")
+                return None
+            
+        return options
+    
+    def validate_agent_ssh_availability(self, agent) -> bool:
+        """
+        Check if SSH is available for the given agent
+        Returns True if available, False otherwise with error messages displayed
+        """
+        is_valid, error_msg = validate_agent_for_ssh(agent)
+        if not is_valid:
+            self._print_error(error_msg)
+            return False
+        return True
+    
+    def has_ssh_options(self, options: Dict) -> bool:
+        """Check if any actual SSH options were provided (not just passthrough)"""
+        return bool(
+            options['local_forward'] or 
+            options['remote_forward'] or 
+            options['dynamic_forward'] or
+            options['key'] or
+            options['user']
+        )
+    
+    def _print_error(self, message: str, dim: bool = False):
+        """Print error message using console if available, otherwise plain print"""
+        if self.console:
+            if dim:
+                self.console.print(f"[dim]{message}[/dim]")
+            else:
+                self.console.print(f"[red]{message}[/red]")
+        else:
+            # Fallback for CLI usage
+            print(f"Error: {message}" if not dim else message)
+
+
+def validate_agent_for_ssh(agent: Agent) -> tuple[bool, str]:
+    """
+    Validate if an agent is ready for SSH connections
+    Returns (is_valid, error_message)
+    """
+    if not agent:
+        return False, "No agent specified"
+    
+    client_id = agent.client_id
+    hostname = agent.hostname or 'Unknown'
+    has_tunnel = agent.has_tunnel
+    
+    if not client_id:
+        return False, "Agent missing client_id"
+    
+    # Check if Cloudflare tunnel is available
+    if not has_tunnel:
+        return False, f"SSH not available for {hostname} - no active tunnel"
+    
+    # Check if tunnel has a public hostname
+    public_hostname = agent.health_check.cloudflared_status.hostname if has_tunnel else None
+    if not public_hostname:
+        return False, f"No public hostname found in tunnel configuration for {hostname}"
+    
+    return True, ""

{praetorian_cli-2.2.1 → praetorian_cli-2.2.3}/praetorian_cli/handlers/test.py

@@ -1,4 +1,6 @@
 import os
+import sys
+import subprocess
 
 import click
 import pytest
@@ -10,7 +12,7 @@ from praetorian_cli.handlers.cli_decorators import cli_handler
 
 @chariot.command()
 @cli_handler
-@click.option('-s', '--suite', type=click.Choice(['coherence', 'cli']), help='Run a specific test suite')
+@click.option('-s', '--suite', type=click.Choice(['coherence', 'cli', 'tui']), help='Run a specific test suite')
 @click.argument('key', required=False)
 def test(chariot, key, suite):
     """ Run integration test suite """
@@ -21,4 +23,7 @@ def test(chariot, key, suite):
         command.extend(['-k', key])
     if suite:
         command.extend(['-m', suite])
-    pytest.main(command)
+    # Run pytest in a subprocess to isolate from CLI pre-imports
+    args = [sys.executable, '-m', 'pytest'] + command
+    result = subprocess.run(args)
+    raise SystemExit(result.returncode)

{praetorian_cli-2.2.1 → praetorian_cli-2.2.3}/praetorian_cli/handlers/update.py

@@ -65,12 +65,12 @@ def seed(chariot, key, status):
 
     \b
     Example usages:
-        - praetorian chariot update seed "#seed#domain#example.com" -s A
-        - praetorian chariot update seed "#seed#ip#1.1.1.0/24" -s F
+        - praetorian chariot update seed "#asset#example.com#example.com" -s A
+        - praetorian chariot update seed "#asset#1.1.1.0/24#1.1.1.0/24" -s F
     """
+    
     chariot.seeds.update(key, status)
 
-
 @update.command()
 @cli_handler
 @click.argument('key', required=True)

{praetorian_cli-2.2.1 → praetorian_cli-2.2.3}/praetorian_cli/main.py

@@ -1,6 +1,7 @@
 import click
 
 import praetorian_cli.handlers.add
+import praetorian_cli.handlers.aegis
 import praetorian_cli.handlers.agent
 import praetorian_cli.handlers.delete
 import praetorian_cli.handlers.enrich

{praetorian_cli-2.2.1 → praetorian_cli-2.2.3}/praetorian_cli/sdk/chariot.py

@@ -1,6 +1,7 @@
 import json, requests, os
 
 from praetorian_cli.sdk.entities.accounts import Accounts
+from praetorian_cli.sdk.entities.aegis import Aegis
 from praetorian_cli.sdk.entities.agents import Agents
 from praetorian_cli.sdk.entities.assets import Assets
 from praetorian_cli.sdk.entities.attributes import Attributes
@@ -14,6 +15,8 @@ from praetorian_cli.sdk.entities.jobs import Jobs
 from praetorian_cli.sdk.entities.keys import Keys
 from praetorian_cli.sdk.entities.preseeds import Preseeds
 from praetorian_cli.sdk.entities.risks import Risks
+from praetorian_cli.sdk.entities.scanners import Scanners
+from praetorian_cli.sdk.entities.schema import Schema
 from praetorian_cli.sdk.entities.search import Search
 from praetorian_cli.sdk.entities.seeds import Seeds
 from praetorian_cli.sdk.entities.settings import Settings
@@ -39,14 +42,17 @@ class Chariot:
         self.definitions = Definitions(self)
         self.attributes = Attributes(self)
         self.search = Search(self)
+        self.scanners = Scanners(self)
         self.webhook = Webhook(self)
         self.statistics = Statistics(self)
+        self.aegis = Aegis(self)
         self.agents = Agents(self)
         self.settings = Settings(self)
         self.configurations = Configurations(self)
         self.keys = Keys(self)
         self.capabilities = Capabilities(self)
         self.credentials = Credentials(self)
+        self.schema = Schema(self)
         self.proxy = proxy
 
         if self.proxy == '' and os.environ.get('CHARIOT_PROXY'):
@@ -66,26 +72,16 @@ class Chariot:
             kwargs['proxies'] = {'http': self.proxy, 'https': self.proxy}
             kwargs['verify'] = False
         
-        self._add_beta_filter(method, kwargs)
+        self.add_beta_url_param(kwargs)
 
         return requests.request(method, url, headers=self.keychain.headers(), **kwargs)
 
-    def _add_beta_filter(self, method: str, kwargs: dict):
-        if method == 'GET' or method == 'DELETE':
-            self._add_beta_url_param(kwargs)
-        else:
-            self._add_beta_json_param(kwargs)
-
-    def _add_beta_url_param(self, kwargs: dict):
+    def add_beta_url_param(self, kwargs: dict):
         if 'params' in kwargs:
             kwargs['params']['beta'] = 'true'
         else:
             kwargs['params'] = {'beta': 'true'}
 
-    def _add_beta_json_param(self, kwargs: dict):
-        if 'json' in kwargs:
-            kwargs['json']['beta'] = True
-
     def my(self, params: dict, pages=1) -> dict:
         final_resp = dict()
 
@@ -256,6 +252,69 @@ class Chariot:
         
         server = MCPServer(self, allowable_tools)
         return anyio.run(server.start)
+
+    def get_current_user(self) -> tuple:
+        """
+        Get current user information for Aegis functionality.
+        
+        Returns:
+            tuple: (user_email, username) where user_email is the login email
+                   and username is the SSH username derived from the email
+        """
+        # Try to get username from keychain first (for username/password auth)
+        user_email = self.keychain.username()
+        
+        # If no username in keychain (API key auth), try to get it from JWT token
+        if not user_email and self.keychain.has_api_key():
+            token = self.keychain.token()
+            payload = decode_jwt_payload(token)
+            if payload:
+                # Extract email from the 'email' field in the JWT payload
+                user_email = payload.get('email')
+            else:
+                # If JWT decoding fails, fall back to the account parameter
+                raise Exception("Failed to decode JWT token")
+        
+        # Extract username from email (part before @) for SSH access
+        username = user_email.split('@')[0] if user_email and '@' in user_email else user_email
+        return user_email, username
+
+
+def decode_jwt_payload(token: str) -> dict | None:
+    """
+    Decode the payload from a JWT token.
+    
+    Args:
+        token: JWT token string in format header.payload.signature
+        
+    Returns:
+        dict: Decoded payload contents, or None if decoding fails
+        
+    Example:
+        >>> token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20ifQ.signature"
+        >>> payload = decode_jwt_payload(token)
+        >>> print(payload.get('email'))
+        user@example.com
+    """
+    try:
+        import json
+        import base64
+        
+        # JWT tokens have 3 parts: header.payload.signature
+        parts = token.split('.')
+        if len(parts) != 3:
+            return None
+            
+        payload_part = parts[1]
+        # Add padding if needed for base64 decoding
+        payload_part += '=' * (4 - len(payload_part) % 4)
+        payload = json.loads(base64.b64decode(payload_part))
+        
+        return payload
+    except Exception:
+        return None
+
+
 def is_query_limit_failure(response: requests.Response) -> bool:
     return response.status_code == 413 and 'reduce page size' in response.text