Configuration Options

You can change many options for this extension works via Flask’s Configuration Handling. For example:

app.config["OPTION_NAME"] = option_value

Overview:

General Options:

JWT_ACCESS_TOKEN_EXPIRES

How long an access token should be valid before it expires. This can be a datetime.timedelta, dateutil.relativedelta, or a number of seconds (Integer).

If set to False tokens will never expire. This is dangerous and should be avoided in most case

This can be overridden on a per token basis by passing the expires_delta argument to flask_jwt_extended.create_access_token()

Default: datetime.timedelta(minutes=15)

JWT_ALGORITHM

Which algorithm to sign the JWT with. See PyJWT for the available algorithms.

Default: "HS256"

JWT_DECODE_ALGORITHMS

Which algorithms to use when decoding a JWT. See PyJWT for the available algorithms.

By default this will always be the same algorithm that is defined in JWT_ALGORITHM.

Default: ["HS256"]

JWT_DECODE_AUDIENCE

The string or list of audiences (aud) expected in a JWT when decoding it.

Default: None

JWT_DECODE_ISSUER

The issuer (iss) you expect in a JWT when decoding it.

Default: None

JWT_DECODE_LEEWAY

The number of seconds a token will be considered valid before the Not Before Time (nbf) and after the Expires Time (`exp). This can be useful when dealing with clock drift between clients.

Default: 0

JWT_ENCODE_AUDIENCE

The string or list of audiences (aud) for created JWTs.

Default: None

JWT_ENCODE_ISSUER

The issuer (iss) for created JWTs.

Default: None

JWT_ENCODE_NBF

The not before (nbf) claim which defines that a JWT MUST NOT be accepted for processing during decode.

Default: True

JWT_ERROR_MESSAGE_KEY

The key for error messages in a JSON response returned by this extension.

Default: "msg"

JWT_IDENTITY_CLAIM

The claim in a JWT that is used as the source of identity.

Default: "sub"

JWT_PRIVATE_KEY

The secret key used to encode JWTs when using an asymmetric signing algorithm (such as RS* or ES*). The key must be in PEM format.

Do not reveal the secret key when posting questions or committing code.

Default: None

JWT_PUBLIC_KEY

The secret key used to decode JWTs when using an asymmetric signing algorithm (such as RS* or ES*). The key must be in PEM format.

Default: None

JWT_REFRESH_TOKEN_EXPIRES

How long a refresh token should be valid before it expires. This can be a datetime.timedelta, dateutil.relativedelta, or a number of seconds (Integer).

If set to False tokens will never expire. This is dangerous and should be avoided in most case

This can be overridden on a per token basis by passing the expires_delta argument to flask_jwt_extended.create_refresh_token()

Default: datetime.timedelta(days=30)

JWT_SECRET_KEY

The secret key used to encode and decode JWTs when using a symmetric signing algorithm (such as HS*). It should be a long random string of bytes, although unicode is accepted too. For example, copy the output of this to your config.

$ python -c 'import os; print(os.urandom(16))'
b'_5#y2L"F4Q8z\n\xec]/'

If this value is not set, Flask’s SECRET_KEY is used instead.

Do not reveal the secret key when posting questions or committing code.

Note: there is ever a need to invalidate all issued tokens (e.g. a security flaw was found, or the revoked token database was lost), this can be easily done by changing the JWT_SECRET_KEY (or Flask’s SECRET_KEY, if JWT_SECRET_KEY is unset).

Default: None

JWT_TOKEN_LOCATION

Where to look for a JWT when processing a request. The available options are "headers", "cookies", "query_string", and "json".

You can pass in a list to check more then one location, for example ["headers", "cookies"]. The order of the list sets the precedence of where JWTs will be looked for.

This can be overridden on a per-route basis by using the locations argument in flask_jwt_extended.jwt_required().

Default: "headers"

JWT_VERIFY_SUB

Control whether the sub claim is verified during JWT decoding.

The sub claim MUST be a str according the the JWT spec. Setting this option to True (the default) will enforce this requirement, and consider non-compliant JWTs invalid. Setting the option to False will skip this validation of the type of the sub claim, allowing any type for the sub claim to be considered valid.

Default: True

Header Options:

These are only applicable if a route is configured to accept JWTs via headers.

JWT_HEADER_NAME

What header should contain the JWT in a request

Default: "Authorization"

JWT_HEADER_TYPE

What type of header the JWT is in. If this is an empty string, the header should contain nothing besides the JWT.

Default: "Bearer"

Cross Site Request Forgery Options:

These are only applicable if a route is configured to accept JWTs via cookies and JWT_COOKIE_CSRF_PROTECT is True.

JWT_ACCESS_CSRF_FIELD_NAME

Name of the form field that should contain the CSRF double submit token for an access token. Only applicable if JWT_CSRF_CHECK_FORM is True

Default: "csrf_token"

JWT_ACCESS_CSRF_HEADER_NAME

The name of the header on an incoming request that should contain the CSRF double submit token.

Default: "X-CSRF-TOKEN"

JWT_CSRF_CHECK_FORM

Controls if form data should also be check for the CSRF double submit token.

Default: False

JWT_CSRF_IN_COOKIES

Controls if the CSRF double submit token will be stored in additional cookies. If setting this to False, you can use flask_jwt_extended.get_csrf_token() to get the csrf token from an encoded JWT, and return it to your frontend in whatever way suites your application.

Default: True

JWT_CSRF_METHODS

A list of HTTP methods that we should do CSRF checks on.

Default: ["POST", "PUT", "PATCH", "DELETE"]

JWT_REFRESH_CSRF_FIELD_NAME

Name of the form field that should contain the CSRF double submit token for a refresh token. Only applicable if JWT_CSRF_CHECK_FORM is True

Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.

Default: "csrf_token"

JWT_REFRESH_CSRF_HEADER_NAME

The name of the header on an incoming request that should contain the CSRF double submit token.

Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.

Default: "X-CSRF-TOKEN"

Query String Options:

These are only applicable if a route is configured to accept JWTs via query string.

JWT_QUERY_STRING_NAME

What query string parameter should contain the JWT.

Default: "jwt"

JWT_QUERY_STRING_VALUE_PREFIX

An optional prefix string that should show up before the JWT in a query string parameter.

For example, if this was "Bearer ", the query string should look like "/endpoint?jwt=Bearer <JWT>"

Default: ""

JSON Body Options:

These are only applicable if a route is configured to accept JWTs via the JSON body.

JWT_JSON_KEY

What key should contain the access token in the JSON body of a request.

Default: "access_token"

JWT_REFRESH_JSON_KEY

What key should contain the refresh token in the JSON body of a request.

Default: "access_token"