Configuration Options¶
You can change many options for this extension works via Flask’s Configuration Handling. For example:
app.config["OPTION_NAME"] = option_value
Overview:¶
General Options:¶
- JWT_ACCESS_TOKEN_EXPIRES¶
How long an access token should be valid before it expires. This can be a datetime.timedelta, dateutil.relativedelta, or a number of seconds (
Integer
).If set to
False
tokens will never expire. This is dangerous and should be avoided in most caseThis can be overridden on a per token basis by passing the
expires_delta
argument toflask_jwt_extended.create_access_token()
Default:
datetime.timedelta(minutes=15)
- JWT_ALGORITHM¶
Which algorithm to sign the JWT with. See PyJWT for the available algorithms.
Default:
"HS256"
- JWT_DECODE_ALGORITHMS¶
Which algorithms to use when decoding a JWT. See PyJWT for the available algorithms.
By default this will always be the same algorithm that is defined in
JWT_ALGORITHM
.Default:
["HS256"]
- JWT_DECODE_AUDIENCE¶
The string or list of audiences (
aud
) expected in a JWT when decoding it.Default:
None
- JWT_DECODE_ISSUER¶
The issuer (
iss
) you expect in a JWT when decoding it.Default:
None
- JWT_DECODE_LEEWAY¶
The number of seconds a token will be considered valid before the Not Before Time (nbf) and after the Expires Time (`exp). This can be useful when dealing with clock drift between clients.
Default:
0
- JWT_ENCODE_AUDIENCE¶
The string or list of audiences (
aud
) for created JWTs.Default:
None
- JWT_ENCODE_ISSUER¶
The issuer (
iss
) for created JWTs.Default:
None
- JWT_ENCODE_NBF¶
The not before (
nbf
) claim which defines that a JWT MUST NOT be accepted for processing during decode.Default:
True
- JWT_ERROR_MESSAGE_KEY¶
The key for error messages in a JSON response returned by this extension.
Default:
"msg"
- JWT_IDENTITY_CLAIM¶
The claim in a JWT that is used as the source of identity.
Default:
"sub"
- JWT_PRIVATE_KEY¶
The secret key used to encode JWTs when using an asymmetric signing algorithm (such as
RS*
orES*
). The key must be in PEM format.Do not reveal the secret key when posting questions or committing code.
Default:
None
- JWT_PUBLIC_KEY¶
The secret key used to decode JWTs when using an asymmetric signing algorithm (such as
RS*
orES*
). The key must be in PEM format.Default:
None
- JWT_REFRESH_TOKEN_EXPIRES¶
How long a refresh token should be valid before it expires. This can be a datetime.timedelta, dateutil.relativedelta, or a number of seconds (
Integer
).If set to
False
tokens will never expire. This is dangerous and should be avoided in most caseThis can be overridden on a per token basis by passing the
expires_delta
argument toflask_jwt_extended.create_refresh_token()
Default:
datetime.timedelta(days=30)
- JWT_SECRET_KEY¶
The secret key used to encode and decode JWTs when using a symmetric signing algorithm (such as
HS*
). It should be a long random string of bytes, although unicode is accepted too. For example, copy the output of this to your config.$ python -c 'import os; print(os.urandom(16))' b'_5#y2L"F4Q8z\n\xec]/'
If this value is not set, Flask’s SECRET_KEY is used instead.
Do not reveal the secret key when posting questions or committing code.
Note: there is ever a need to invalidate all issued tokens (e.g. a security flaw was found, or the revoked token database was lost), this can be easily done by changing the JWT_SECRET_KEY (or Flask’s SECRET_KEY, if JWT_SECRET_KEY is unset).
Default:
None
- JWT_TOKEN_LOCATION¶
Where to look for a JWT when processing a request. The available options are
"headers"
,"cookies"
,"query_string"
, and"json"
.You can pass in a list to check more then one location, for example
["headers", "cookies"]
. The order of the list sets the precedence of where JWTs will be looked for.This can be overridden on a per-route basis by using the
locations
argument inflask_jwt_extended.jwt_required()
.Default:
"headers"
Header Options:¶
These are only applicable if a route is configured to accept JWTs via headers.
- JWT_HEADER_NAME¶
What header should contain the JWT in a request
Default:
"Authorization"
- JWT_HEADER_TYPE¶
What type of header the JWT is in. If this is an empty string, the header should contain nothing besides the JWT.
Default:
"Bearer"
Cross Site Request Forgery Options:¶
These are only applicable if a route is configured to accept JWTs via cookies and
JWT_COOKIE_CSRF_PROTECT
is True
.
- JWT_ACCESS_CSRF_COOKIE_NAME¶
The name of the cookie that contains the CSRF double submit token. Only applicable if
JWT_CSRF_IN_COOKIES
isTrue
Default:
csrf_access_token
- JWT_ACCESS_CSRF_COOKIE_PATH¶
The path of the access CSRF double submit cookie.
Default:
"/"
- JWT_ACCESS_CSRF_FIELD_NAME¶
Name of the form field that should contain the CSRF double submit token for an access token. Only applicable if
JWT_CSRF_CHECK_FORM
isTrue
Default:
"csrf_token"
- JWT_ACCESS_CSRF_HEADER_NAME¶
The name of the header on an incoming request that should contain the CSRF double submit token.
Default:
"X-CSRF-TOKEN"
- JWT_CSRF_CHECK_FORM¶
Controls if form data should also be check for the CSRF double submit token.
Default:
False
- JWT_CSRF_IN_COOKIES¶
Controls if the CSRF double submit token will be stored in additional cookies. If setting this to
False
, you can useflask_jwt_extended.get_csrf_token()
to get the csrf token from an encoded JWT, and return it to your frontend in whatever way suites your application.Default:
True
- JWT_CSRF_METHODS¶
A list of HTTP methods that we should do CSRF checks on.
Default:
["POST", "PUT", "PATCH", "DELETE"]
- JWT_REFRESH_CSRF_COOKIE_NAME¶
The name of the cookie that contains the CSRF double submit token. Only applicable if
JWT_CSRF_IN_COOKIES
isTrue
Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.
Default:
csrf_refresh_token
- JWT_REFRESH_CSRF_COOKIE_PATH¶
The path of the refresh CSRF double submit cookie.
Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.
Default:
"/"
- JWT_REFRESH_CSRF_FIELD_NAME¶
Name of the form field that should contain the CSRF double submit token for a refresh token. Only applicable if
JWT_CSRF_CHECK_FORM
isTrue
Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.
Default:
"csrf_token"
- JWT_REFRESH_CSRF_HEADER_NAME¶
The name of the header on an incoming request that should contain the CSRF double submit token.
Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.
Default:
"X-CSRF-TOKEN"
Query String Options:¶
These are only applicable if a route is configured to accept JWTs via query string.
- JWT_QUERY_STRING_NAME¶
What query string parameter should contain the JWT.
Default:
"jwt"
- JWT_QUERY_STRING_VALUE_PREFIX¶
An optional prefix string that should show up before the JWT in a query string parameter.
For example, if this was
"Bearer "
, the query string should look like"/endpoint?jwt=Bearer <JWT>"
Default:
""
JSON Body Options:¶
These are only applicable if a route is configured to accept JWTs via the JSON body.
- JWT_JSON_KEY¶
What key should contain the access token in the JSON body of a request.
Default:
"access_token"
- JWT_REFRESH_JSON_KEY¶
What key should contain the refresh token in the JSON body of a request.
Default:
"access_token"