from jose import jwt, JWTError
from ..auth.key_store import get_key_by_kid

JWT_ALGORITHM = "HS256"


def decode_jwt(token: str) -> dict | None:
    """Decode a JWT token using the existing key management system."""
    try:
        headers = jwt.get_unverified_header(token)
        kid = headers.get("kid")
        if not kid:
            return None
        key = get_key_by_kid(kid)
        if not key:
            return None
        return jwt.decode(token, key, algorithms=[JWT_ALGORITHM])
    except JWTError:
        return None