Configuration Options¶
You can change many options for this extension works via Flask’s Configuration Handling. For example:
app.config["OPTION_NAME"] = option_value
Overview:¶
General Options:¶
- JWT_ACCESS_TOKEN_EXPIRES¶
How long an access token should be valid before it expires. This can be a datetime.timedelta, dateutil.relativedelta, or a number of seconds (
Integer
).If set to
False
tokens will never expire. This is dangerous and should be avoided in most caseThis can be overridden on a per token basis by passing the
expires_delta
argument toflask_jwt_extended.create_access_token()
Default:
datetime.timedelta(minutes=15)
- JWT_ALGORITHM¶
Which algorithm to sign the JWT with. See PyJWT for the available algorithms.
Default:
"HS256"
- JWT_DECODE_ALGORITHMS¶
Which algorithms to use when decoding a JWT. See PyJWT for the available algorithms.
By default this will always be the same algorithm that is defined in
JWT_ALGORITHM
.Default:
["HS256"]
- JWT_DECODE_AUDIENCE¶
The string or list of audiences (
aud
) expected in a JWT when decoding it.Default:
None
- JWT_DECODE_ISSUER¶
The issuer (
iss
) you expect in a JWT when decoding it.Default:
None
- JWT_DECODE_LEEWAY¶
The number of seconds a token will be considered valid before the Not Before Time (nbf) and after the Expires Time (`exp). This can be useful when dealing with clock drift between clients.
Default:
0
- JWT_ENCODE_AUDIENCE¶
The string or list of audiences (
aud
) for created JWTs.Default:
None
- JWT_ENCODE_ISSUER¶
The issuer (
iss
) for created JWTs.Default:
None
- JWT_ENCODE_NBF¶
The not before (
nbf
) claim which defines that a JWT MUST NOT be accepted for processing during decode.Default:
True
- JWT_ERROR_MESSAGE_KEY¶
The key for error messages in a JSON response returned by this extension.
Default:
"msg"
- JWT_IDENTITY_CLAIM¶
The claim in a JWT that is used as the source of identity.
Default:
"sub"
- JWT_PRIVATE_KEY¶
The secret key used to encode JWTs when using an asymmetric signing algorithm (such as
RS*
orES*
). The key must be in PEM format.Do not reveal the secret key when posting questions or committing code.
Default:
None
- JWT_PUBLIC_KEY¶
The secret key used to decode JWTs when using an asymmetric signing algorithm (such as
RS*
orES*
). The key must be in PEM format.Default:
None
- JWT_REFRESH_TOKEN_EXPIRES¶
How long a refresh token should be valid before it expires. This can be a datetime.timedelta, dateutil.relativedelta, or a number of seconds (
Integer
).If set to
False
tokens will never expire. This is dangerous and should be avoided in most caseThis can be overridden on a per token basis by passing the
expires_delta
argument toflask_jwt_extended.create_refresh_token()
Default:
datetime.timedelta(days=30)
- JWT_SECRET_KEY¶
The secret key used to encode and decode JWTs when using a symmetric signing algorithm (such as
HS*
). It should be a long random string of bytes, although unicode is accepted too. For example, copy the output of this to your config.$ python -c 'import os; print(os.urandom(16))' b'_5#y2L"F4Q8z\n\xec]/'
If this value is not set, Flask’s SECRET_KEY is used instead.
Do not reveal the secret key when posting questions or committing code.
Note: there is ever a need to invalidate all issued tokens (e.g. a security flaw was found, or the revoked token database was lost), this can be easily done by changing the JWT_SECRET_KEY (or Flask’s SECRET_KEY, if JWT_SECRET_KEY is unset).
Default:
None
- JWT_TOKEN_LOCATION¶
Where to look for a JWT when processing a request. The available options are
"headers"
,"cookies"
,"query_string"
, and"json"
.You can pass in a list to check more then one location, for example
["headers", "cookies"]
. The order of the list sets the precedence of where JWTs will be looked for.This can be overridden on a per-route basis by using the
locations
argument inflask_jwt_extended.jwt_required()
.Default:
"headers"
- JWT_VERIFY_SUB¶
Control whether the
sub
claim is verified during JWT decoding.The
sub
claim MUST be astr
according the the JWT spec. Setting this option toTrue
(the default) will enforce this requirement, and consider non-compliant JWTs invalid. Setting the option toFalse
will skip this validation of the type of thesub
claim, allowing any type for thesub
claim to be considered valid.Default:
True
Header Options:¶
These are only applicable if a route is configured to accept JWTs via headers.
- JWT_HEADER_NAME¶
What header should contain the JWT in a request
Default:
"Authorization"
- JWT_HEADER_TYPE¶
What type of header the JWT is in. If this is an empty string, the header should contain nothing besides the JWT.
Default:
"Bearer"
Cross Site Request Forgery Options:¶
These are only applicable if a route is configured to accept JWTs via cookies and
JWT_COOKIE_CSRF_PROTECT
is True
.
- JWT_ACCESS_CSRF_COOKIE_NAME¶
The name of the cookie that contains the CSRF double submit token. Only applicable if
JWT_CSRF_IN_COOKIES
isTrue
Default:
csrf_access_token
- JWT_ACCESS_CSRF_COOKIE_PATH¶
The path of the access CSRF double submit cookie.
Default:
"/"
- JWT_ACCESS_CSRF_FIELD_NAME¶
Name of the form field that should contain the CSRF double submit token for an access token. Only applicable if
JWT_CSRF_CHECK_FORM
isTrue
Default:
"csrf_token"
- JWT_ACCESS_CSRF_HEADER_NAME¶
The name of the header on an incoming request that should contain the CSRF double submit token.
Default:
"X-CSRF-TOKEN"
- JWT_CSRF_CHECK_FORM¶
Controls if form data should also be check for the CSRF double submit token.
Default:
False
- JWT_CSRF_IN_COOKIES¶
Controls if the CSRF double submit token will be stored in additional cookies. If setting this to
False
, you can useflask_jwt_extended.get_csrf_token()
to get the csrf token from an encoded JWT, and return it to your frontend in whatever way suites your application.Default:
True
- JWT_CSRF_METHODS¶
A list of HTTP methods that we should do CSRF checks on.
Default:
["POST", "PUT", "PATCH", "DELETE"]
- JWT_REFRESH_CSRF_COOKIE_NAME¶
The name of the cookie that contains the CSRF double submit token. Only applicable if
JWT_CSRF_IN_COOKIES
isTrue
Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.
Default:
csrf_refresh_token
- JWT_REFRESH_CSRF_COOKIE_PATH¶
The path of the refresh CSRF double submit cookie.
Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.
Default:
"/"
- JWT_REFRESH_CSRF_FIELD_NAME¶
Name of the form field that should contain the CSRF double submit token for a refresh token. Only applicable if
JWT_CSRF_CHECK_FORM
isTrue
Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.
Default:
"csrf_token"
- JWT_REFRESH_CSRF_HEADER_NAME¶
The name of the header on an incoming request that should contain the CSRF double submit token.
Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.
Default:
"X-CSRF-TOKEN"
Query String Options:¶
These are only applicable if a route is configured to accept JWTs via query string.
- JWT_QUERY_STRING_NAME¶
What query string parameter should contain the JWT.
Default:
"jwt"
- JWT_QUERY_STRING_VALUE_PREFIX¶
An optional prefix string that should show up before the JWT in a query string parameter.
For example, if this was
"Bearer "
, the query string should look like"/endpoint?jwt=Bearer <JWT>"
Default:
""
JSON Body Options:¶
These are only applicable if a route is configured to accept JWTs via the JSON body.
- JWT_JSON_KEY¶
What key should contain the access token in the JSON body of a request.
Default:
"access_token"
- JWT_REFRESH_JSON_KEY¶
What key should contain the refresh token in the JSON body of a request.
Default:
"access_token"