mpdavis · erny · Nov 28, 2020 · Nov 28, 2020
diff --git a/jose/jwt.py b/jose/jwt.py
@@ -70,8 +70,15 @@ def decode(token, key, algorithms=None, options=None, audience=None,
 
     Args:
         token (str): A signed JWS to be verified.
-        key (str or dict): A key to attempt to verify the payload with. Can be
-            individual JWK or JWK set.
+        key (str or iterable): A key to attempt to verify the payload with.
+            This can be simple string with an individual key (e.g. "a1234"),
+            a tuple or list of keys (e.g. ("a1234...", "b3579"),
+            a JSON string, (e.g. '["a1234", "b3579"]'),
+            a dict with the 'keys' key that gives a tuple or list of keys (e.g {'keys': [...]} ) or
+            a dict or JSON string for a JWK set as defined by RFC 7517 (e.g.
+                {'keys': [{'kty': 'oct', 'k': 'YTEyMzQ'}, {'kty': 'oct', 'k':'YjM1Nzk'}]} or
+                '{"keys": [{"kty":"oct","k":"YTEyMzQ"},{"kty":"oct","k":"YjM1Nzk"}]}'
+            ) in which case the keys must be base64 url safe encoded (with optional padding).
         algorithms (str or list): Valid algorithms that should be used to verify the JWS.
         audience (str): The intended audience of the token.  If the "aud" claim is
             included in the claim set, then the audience must be included and must equal