1. In their most common format, a 'secret key' is used in the generation and verification of the signature. In this article I'm going to show you a less known mechanism to generate JWTs that have signatures that can be verified without having access to the secret key.
2. How to generate JWT RS256 key. GitHub Gist: instantly share code, notes, and snippets.

I'm trying to generate JWT to use it in a API integration. Here are the specific requirements to generate JWT token but I'm not following how to do it in python. It shows following Java snippet. JSON Web Signatre specification are followed to generate the final signed token. JWT Header, the encoded claim are combined, and an encryption algorithm, such as HMAC SHA-256 is applied. The signatures's secret key is held by the server so it will be able to verify existing tokens. Popular Libraries for JWT. Java atlassian-jwt and jsontoken.

Often in Flask applications we want to add login/logout functionality. Depending on the type of application you're creating, you could use sessions or tokens.

• Sessions are best suited to applications where you're serving web pages with Flask—i.e. making extensive use of render_template.
• Tokens are best suited to APIs, where your Flask application accepts and returns data to another application (such as mobile apps or web apps).

In this post we'll learn how to add token-based authentication to your Flask apps. But first...

What is a JWT?

JWT stands for JSON Web Token, and it is a piece of text with some information encoded into it.

The information stored when doing authentication in a Flask app is usually something that we can use to identify the user for whom we generated the JWT.

The flow goes like this:

1. User provides their username and password
2. We verify they are correct inside our Flask app
3. We generate a JWT which contains the user's ID.
4. We send that to the user.
5. Whenever the user makes a request to our application, they must send us the JWT we generated earlier. By doing this, we can verify the JWT is valid—and then we'll know the user who sent us the JWT is the user for whom we generated it.

That last point is important. When we receive a JWT we know to be valid, we know we generated it for a specific user. We can check this using the information stored inside the JWT.

Since we know the user sent us the JWT that we generated when they logged in, we can treat this used as a 'logged in user'.

Any user that does not send us a valid JWT, we will treat as a 'logged out' user.

Authentication with Flask-JWT

There are two main libraries for authentication with Flask: Flask-JWT and Flask-JWT-Extended.

Flask-JWT is slightly simpler, while Flask-JWT-Extended is a bit more powerful. Learning one will make learning the other very straightforward.

In this post we'll use Flask-JWT.

Installing and linking with our app

Generate Jwt Token With Private Key Python

To install Flask-JWT, activate your virtual environment and then do:

Then, in the file where your app is defined, you'll need to import Flask-JWT and create the JWT object. You also need to define app.secret_key as that is used to sign the JWT so you know it is your app that created it, and not anyone else:

We also have an import for authenticate and identity. These two functions are required for Flask-JWT to know how to handle an incoming JWT, and also what data we want to store in an outgoing JWT.

As soon as we create the JWT object, Flask-JWT registers an endpoint with our application, /auth.

That means that the simple app in that code already has an endpoint that users can access. By default, users should be able to send POST requests to the /auth endpoint with some JSON payload:

What is authenticate?

The authenticate function is used to authenticate a user. That means, when a user gives us their username and password, what data we want to put into the JWT. Remember, the data we put into the JWT will come back to us when the user sends it with each request.

The flow goes like this:

1. User makes a POST request to the new /auth endpoint with their username and password as the JSON payload.
2. The authenticate function is called with that username and password. Flask-JWT set this up when we created the JWT object.

Usually in the authenticate function I check the validity of a user's username and password, and then tell Flask-JWT to store the user's id inside the JWT.

Something like this:

My authenticate function accepts a username and password. It then goes into the database and finds a user matching that username, and checks the password is correct.

If it is, it returns the user.

Does that mean the user is stored in the JWT?

No. Flask-JWT will take the id property of the user object and store that in the JWT.

If your user object does not have an id property, you'll get an error.

You can change which property gets stored in the JWT by setting an app configuration property. Learn more in our Flask-JWT Configuration blog post.

What is identity?

The identity function is used when we receive a JWT.

In any of our endpoints (except the /auth endpoint) the user can send us a JWT alongside their data. They will do this by adding a header to their request:

When that happens, Flask-JWT will take the JWT and get the data out of it. Data stored inside a JWT is called a 'payload', so our identity function accepts that payload as a parameter:

The payload['identity'] contains the user's id property that we saved into the JWT when we created it. The payload also contains other things, such as when the token was created, when it expires, and more. For more information, read the 'Payload' section of this post.

Since payload['identity'] is the user's id—we use that to find the user in the database and return it.

Important: the identity function is not called unless we decorate our endpoints with the @jwt_required() decorator, like so:

Inside any endpoint that is decorated with @jwt_required(), we can access the current_identity proxy—it will give us whatever the identity function returns for the JWT we received in this specific request.

Generate Jwt Secret Key Python Programming

Testing and error messages

Here's a simple app, taken from the official documentation, that you can use to test your Flask-JWT requests.

I would recommend testing different scenarios with Flask-JWT to check what it can return you. For example, what happens if:

• You send an invalid username or password;
• You send an invalid or incomplete JWT;
• Your user isn't found in the database with the id in the payload;

Flask-JWT-Extended

Flask-JWT-Extended is very similar to Flask-JWT, but has more configuration options and some more functionality. For example, it allows for token refreshing.

After you're comfortable with Flask-JWT—and if you need those advanced features—read our blog post on Flask-JWT-Extended for more!

I hope you've found this post useful, and you've learned something!

If you want an even better and more digestible set of video tutorials guiding you through creating Flask applications and REST APIs, check out our REST APIs with Flask and Python course. It contains everything you need to develop simple, professional REST APIs easily.

If you sign up to our mailing list below, that's the best way to get access to a discount code—we share them every month with our subscribers!

Encoding & Decoding Tokens with HS256¶

Encoding & Decoding Tokens with RS256 (RSA)¶

If your private key needs a passphrase, you need to pass in a PrivateKey object from cryptography.

Specifying Additional Headers¶

Reading the Claimset without Validation¶

If you wish to read the claimset of a JWT without performing validation of thesignature or any of the registered claim names, you can set theverify_signature option to False.

Note: It is generally ill-advised to use this functionality unless youclearly understand what you are doing. Without digital signature information,the integrity or authenticity of the claimset cannot be trusted.

Reading Headers without Validation¶

Some APIs require you to read a JWT header without validation. For example,in situations where the token issuer uses multiple keys and you have noway of knowing in advance which one of the issuer’s public keys or sharedsecrets to use for validation, the issuer may include an identifier for thekey in the header.

Registered Claim Names¶

The JWT specification defines some registered claim names and defineshow they should be used. PyJWT supports these registered claim names:

• “exp” (Expiration Time) Claim
• “nbf” (Not Before Time) Claim
• “iss” (Issuer) Claim
• “aud” (Audience) Claim
• “iat” (Issued At) Claim

Expiration Time Claim (exp)¶

You can pass the expiration time as a UTC UNIX timestamp (an int) or as adatetime, which will be converted into an int. For example:

Expiration time is automatically verified in jwt.decode() and raisesjwt.ExpiredSignatureError if the expiration time is in the past:

Expiration time will be compared to the current UTC time (as given bytimegm(datetime.utcnow().utctimetuple())), so be sure to use a UTC timestampor datetime in encoding.

You can turn off expiration time verification with the verify_exp parameter in the options argument.

PyJWT also supports the leeway part of the expiration time definition, whichmeans you can validate a expiration time which is in the past but not very far.For example, if you have a JWT payload with a expiration time set to 30 secondsafter creation but you know that sometimes you will process it after 30 seconds,you can set a leeway of 10 seconds in order to have some margin:

Instead of specifying the leeway as a number of seconds, a datetime.timedeltainstance can be used. The last line in the example above is equivalent to:

Not Before Time Claim (nbf)¶

The nbf claim works similarly to the exp claim above.

Issuer Claim (iss)¶

If the issuer claim is incorrect, jwt.InvalidIssuerError will be raised.

Audience Claim (aud)¶

In the general case, the “aud” value is an array of case-sensitive strings, each containing a StringOrURI value.

In the special case when the JWT has one audience, the “aud” value MAY bea single case-sensitive string containing a StringOrURI value.

If multiple audiences are accepted, the audience parameter forjwt.decode can also be an iterable

The interpretation of audience values is generally application specific.Use of this claim is OPTIONAL.

If the audience claim is incorrect, jwt.InvalidAudienceError will be raised.

Issued At Claim (iat)¶

The iat (issued at) claim identifies the time at which the JWT was issued.This claim can be used to determine the age of the JWT. Its value MUST be anumber containing a NumericDate value. Use of this claim is OPTIONAL.

If the iat claim is not a number, an jwt.InvalidIssuedAtError exception will be raised.

Requiring Presence of Claims¶

If you wish to require one or more claims to be present in the claimset, you can set the require parameter to include these claims.

Retrieve RSA signing keys from a JWKS endpoint¶