Configuration Options

You can change many options for how this extension works via

app.config[OPTION_NAME] = new_options

General Options:

JWT_TOKEN_LOCATION Where to look for a JWT when processing a request. The options are 'headers', 'cookies', 'query_string', or 'json'. You can pass in a list to check more then one location, such as: ['headers', 'cookies']. Defaults to 'headers'
JWT_ACCESS_TOKEN_EXPIRES How long an access token should live before it expires. This takes a datetime.timedelta, and defaults to 15 minutes. Can be set to False to disable expiration.
JWT_REFRESH_TOKEN_EXPIRES How long a refresh token should live before it expires. This takes a datetime.timedelta, and defaults to 30 days. Can be set to False to disable expiration.
JWT_ALGORITHM Which algorithm to sign the JWT with. See here for the options. Defaults to 'HS256'.
JWT_SECRET_KEY The secret key needed for symmetric based signing algorithms, such as HS*. If this is not set, we use the flask SECRET_KEY value instead.
JWT_PUBLIC_KEY The public key needed for asymmetric based signing algorithms, such as RS* or ES*. PEM format expected.
JWT_PRIVATE_KEY The private key needed for asymmetric based signing algorithms, such as RS* or ES*. PEM format expected.
JWT_IDENTITY_CLAIM Claim in the tokens that is used as source of identity. For interoperability, the JWT RFC recommends using 'sub'. Defaults to 'identity' for legacy reasons.
JWT_USER_CLAIMS Claim in the tokens that is used to store user claims. Defaults to 'user_claims'.
JWT_CLAIMS_IN_REFRESH_TOKEN If user claims should be included in refresh tokens. Defaults to False.
JWT_ERROR_MESSAGE_KEY The key of the error message in a JSON error response when using the default error handlers. Defaults to 'msg'.

Header Options:

These are only applicable if JWT_TOKEN_LOCATION is set to use headers.

JWT_HEADER_NAME What header to look for the JWT in a request. Defaults to 'Authorization'
JWT_HEADER_TYPE What type of header the JWT is in. Defaults to 'Bearer'. This can be an empty string, in which case the header contains only the JWT (insead of something like HeaderName: Bearer <JWT>)

Query String Options:

These are only applicable if JWT_TOKEN_LOCATION is set to use query strings.

JWT_QUERY_STRING_NAME What query paramater name to look for a JWT in a request. Defaults to 'jwt'

Json Body Options:

These are only applicable if JWT_TOKEN_LOCATION is set to use json data.

JWT_JSON_KEY Key to look for in the body of an application/json request. Defaults to 'access_token'
JWT_REFRESH_JSON_KEY Key to look for the refresh token in an application/json request. Defaults to 'refresh_token'

Cross Site Request Forgery Options:

These are only applicable if JWT_TOKEN_LOCATION is set to use cookies and JWT_COOKIE_CSRF_PROTECT is True.

JWT_CSRF_METHODS The request types that will use CSRF protection. Defaults to ['POST', 'PUT', 'PATCH', 'DELETE']
JWT_ACCESS_CSRF_HEADER_NAME Name of the header that should contain the CSRF double submit value for access tokens. Defaults to X-CSRF-TOKEN.
JWT_REFRESH_CSRF_HEADER_NAME Name of the header that should contains the CSRF double submit value for refresh tokens. Defaults to X-CSRF-TOKEN.
JWT_CSRF_IN_COOKIES If we should store the CSRF double submit value in another cookies when using set_access_cookies() and set_refresh_cookies(). Defaults to True. If this is False, you are responsible for getting the CSRF value to the callers (see: get_csrf_token(encoded_token)).
JWT_ACCESS_CSRF_COOKIE_NAME Name of the CSRF access cookie. Defaults to 'csrf_access_token'. Only applicable if JWT_CSRF_IN_COOKIES is True
JWT_REFRESH_CSRF_COOKIE_NAME Name of the CSRF refresh cookie. Defaults to 'csrf_refresh_token'. Only applicable if JWT_CSRF_IN_COOKIES is True
JWT_ACCESS_CSRF_COOKIE_PATH Path for the CSRF access cookie. Defaults to '/'. Only applicable if JWT_CSRF_IN_COOKIES is True
JWT_REFRESH_CSRF_COOKIE_PATH Path of the CSRF refresh cookie. Defaults to '/'. Only applicable if JWT_CSRF_IN_COOKIES is True

Blacklist Options:

JWT_BLACKLIST_ENABLED Enable/disable token revoking. Defaults to False
JWT_BLACKLIST_TOKEN_CHECKS What token types to check against the blacklist. The options are 'refresh' or 'access'. You can pass in a list to check more then one type. Defaults to ['access', 'refresh']. Only used if blacklisting is enabled.