Configuration Options

You can change many options for this extension works via Flask’s Configuration Handling. For example:

app.config["OPTION_NAME"] = option_value

Overview:

• General Options:

  • JWT_ACCESS_TOKEN_EXPIRES

  • JWT_ALGORITHM

  • JWT_DECODE_ALGORITHMS

  • JWT_DECODE_AUDIENCE

  • JWT_DECODE_ISSUER

  • JWT_DECODE_LEEWAY

  • JWT_ENCODE_AUDIENCE

  • JWT_ENCODE_ISSUER

  • JWT_ENCODE_NBF

  • JWT_ERROR_MESSAGE_KEY

  • JWT_IDENTITY_CLAIM

  • JWT_PRIVATE_KEY

  • JWT_PUBLIC_KEY

  • JWT_REFRESH_TOKEN_EXPIRES

  • JWT_SECRET_KEY

  • JWT_TOKEN_LOCATION

• Header Options:

  • JWT_HEADER_NAME

  • JWT_HEADER_TYPE

• Cookie Options:

  • JWT_ACCESS_COOKIE_NAME

  • JWT_ACCESS_COOKIE_PATH

  • JWT_COOKIE_CSRF_PROTECT

  • JWT_COOKIE_DOMAIN

  • JWT_COOKIE_SAMESITE

  • JWT_COOKIE_SECURE

  • JWT_REFRESH_COOKIE_NAME

  • JWT_REFRESH_COOKIE_PATH

  • JWT_SESSION_COOKIE

• Cross Site Request Forgery Options:

  • JWT_ACCESS_CSRF_COOKIE_NAME

  • JWT_ACCESS_CSRF_COOKIE_PATH

  • JWT_ACCESS_CSRF_FIELD_NAME

  • JWT_ACCESS_CSRF_HEADER_NAME

  • JWT_CSRF_CHECK_FORM

  • JWT_CSRF_IN_COOKIES

  • JWT_CSRF_METHODS

  • JWT_REFRESH_CSRF_COOKIE_NAME

  • JWT_REFRESH_CSRF_COOKIE_PATH

  • JWT_REFRESH_CSRF_FIELD_NAME

  • JWT_REFRESH_CSRF_HEADER_NAME

• Query String Options:

  • JWT_QUERY_STRING_NAME

  • JWT_QUERY_STRING_VALUE_PREFIX

• JSON Body Options:

  • JWT_JSON_KEY

  • JWT_REFRESH_JSON_KEY

General Options:

JWT_ACCESS_TOKEN_EXPIRES

How long an access token should be valid before it expires. This can be a datetime.timedelta, dateutil.relativedelta, or a number of seconds (Integer).

If set to False tokens will never expire. This is dangerous and should be avoided in most case

This can be overridden on a per token basis by passing the expires_delta argument to flask_jwt_extended.create_access_token()

Default: datetime.timedelta(minutes=15)

JWT_ALGORITHM

Which algorithm to sign the JWT with. See PyJWT for the available algorithms.

Default: "HS256"

JWT_DECODE_ALGORITHMS

Which algorithms to use when decoding a JWT. See PyJWT for the available algorithms.

By default this will always be the same algorithm that is defined in JWT_ALGORITHM.

Default: ["HS256"]

JWT_DECODE_AUDIENCE

The string or list of audiences (aud) expected in a JWT when decoding it.

Default: None

JWT_DECODE_ISSUER

The issuer (iss) you expect in a JWT when decoding it.

Default: None

JWT_DECODE_LEEWAY

The number of seconds a token will be considered valid before the Not Before Time (nbf) and after the Expires Time (`exp). This can be useful when dealing with clock drift between clients.

Default: 0

JWT_ENCODE_AUDIENCE

The string or list of audiences (aud) for created JWTs.

Default: None

JWT_ENCODE_ISSUER

The issuer (iss) for created JWTs.

Default: None

JWT_ENCODE_NBF

The not before (nbf) claim which defines that a JWT MUST NOT be accepted for processing during decode.

Default: True

JWT_ERROR_MESSAGE_KEY

The key for error messages in a JSON response returned by this extension.

Default: "msg"

JWT_IDENTITY_CLAIM

The claim in a JWT that is used as the source of identity.

Default: "sub"

JWT_PRIVATE_KEY

The secret key used to encode JWTs when using an asymmetric signing algorithm (such as RS* or ES*). The key must be in PEM format.

Do not reveal the secret key when posting questions or committing code.

Default: None

JWT_PUBLIC_KEY

The secret key used to decode JWTs when using an asymmetric signing algorithm (such as RS* or ES*). The key must be in PEM format.

Default: None

JWT_REFRESH_TOKEN_EXPIRES

How long a refresh token should be valid before it expires. This can be a datetime.timedelta, dateutil.relativedelta, or a number of seconds (Integer).

If set to False tokens will never expire. This is dangerous and should be avoided in most case

This can be overridden on a per token basis by passing the expires_delta argument to flask_jwt_extended.create_refresh_token()

Default: datetime.timedelta(days=30)

JWT_SECRET_KEY

The secret key used to encode and decode JWTs when using a symmetric signing algorithm (such as HS*). It should be a long random string of bytes, although unicode is accepted too. For example, copy the output of this to your config.

$ python -c 'import os; print(os.urandom(16))'
b'_5#y2L"F4Q8z\n\xec]/'

If this value is not set, Flask’s SECRET_KEY is used instead.

Do not reveal the secret key when posting questions or committing code.

Note: there is ever a need to invalidate all issued tokens (e.g. a security flaw was found, or the revoked token database was lost), this can be easily done by changing the JWT_SECRET_KEY (or Flask’s SECRET_KEY, if JWT_SECRET_KEY is unset).

Default: None

JWT_TOKEN_LOCATION

Where to look for a JWT when processing a request. The available options are "headers", "cookies", "query_string", and "json".

You can pass in a list to check more then one location, for example ["headers", "cookies"]. The order of the list sets the precedence of where JWTs will be looked for.

This can be overridden on a per-route basis by using the locations argument in flask_jwt_extended.jwt_required().

Default: "headers"

Header Options:

These are only applicable if a route is configured to accept JWTs via headers.

JWT_HEADER_NAME

What header should contain the JWT in a request

Default: "Authorization"

JWT_HEADER_TYPE

What type of header the JWT is in. If this is an empty string, the header should contain nothing besides the JWT.

Default: "Bearer"

Cookie Options:

These are only applicable if a route is configured to accept JWTs via cookies.

JWT_ACCESS_COOKIE_NAME

The name of the cookie that will hold the access token.

Default: "access_token_cookie"

JWT_ACCESS_COOKIE_PATH

The path for the access cookies

Default: "/"

JWT_COOKIE_CSRF_PROTECT

Controls if Cross Site Request Forgery (CSRF) protection is enabled when using cookies.

This should always be True in production

Default: True

JWT_COOKIE_DOMAIN

Value to use for cross domain cookies. For example, if JWT_COOKIE_DOMAIN is ".example.com", the cookies will be set so they are readable by the domains www.example.com, foo.example.com etc. Otherwise, a cookie will only be readable by the domain that set it.

Default: None

JWT_COOKIE_SAMESITE

Controls how the cookies should be sent in a cross-site browsing context. Available options are "None", "Lax", or "Strict".

To use SameSite=None, you must set this option to the string "None" as well as setting JWT_COOKIE_SECURE to True.

See the MDN docs for more information.

Default: None, which is treated as "Lax" by browsers.

JWT_COOKIE_SECURE

Controls if the secure flag should be placed on cookies created by this extension. If a cookie is marked as secure it will only be sent by the web browser over an HTTPS connection.

This should always be True in production.

Default: False

JWT_REFRESH_COOKIE_NAME

The name of the cookie that will hold the refresh token.

Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.

Default: "refresh_token_cookie"

JWT_REFRESH_COOKIE_PATH

The path for the refresh cookies

Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.

Default: "/"

JWT_SESSION_COOKIE

Controls if the cookies will be set as session cookies, which are deleted when the browser is closed.

Default: True

Cross Site Request Forgery Options:

These are only applicable if a route is configured to accept JWTs via cookies and JWT_COOKIE_CSRF_PROTECT is True.

JWT_ACCESS_CSRF_COOKIE_NAME

The name of the cookie that contains the CSRF double submit token. Only applicable if JWT_CSRF_IN_COOKIES is True

Default: csrf_access_token

JWT_ACCESS_CSRF_COOKIE_PATH

The path of the access CSRF double submit cookie.

Default: "/"

JWT_ACCESS_CSRF_FIELD_NAME

Name of the form field that should contain the CSRF double submit token for an access token. Only applicable if JWT_CSRF_CHECK_FORM is True

Default: "csrf_token"

JWT_ACCESS_CSRF_HEADER_NAME

The name of the header on an incoming request that should contain the CSRF double submit token.

Default: "X-CSRF-TOKEN"

JWT_CSRF_CHECK_FORM

Controls if form data should also be check for the CSRF double submit token.

Default: False

JWT_CSRF_IN_COOKIES

Controls if the CSRF double submit token will be stored in additional cookies. If setting this to False, you can use flask_jwt_extended.get_csrf_token() to get the csrf token from an encoded JWT, and return it to your frontend in whatever way suites your application.

Default: True

JWT_CSRF_METHODS

A list of HTTP methods that we should do CSRF checks on.

Default: ["POST", "PUT", "PATCH", "DELETE"]

JWT_REFRESH_CSRF_COOKIE_NAME

The name of the cookie that contains the CSRF double submit token. Only applicable if JWT_CSRF_IN_COOKIES is True

Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.

Default: csrf_refresh_token

JWT_REFRESH_CSRF_COOKIE_PATH

The path of the refresh CSRF double submit cookie.

Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.

Default: "/"

JWT_REFRESH_CSRF_FIELD_NAME

Name of the form field that should contain the CSRF double submit token for a refresh token. Only applicable if JWT_CSRF_CHECK_FORM is True

Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.

Default: "csrf_token"

JWT_REFRESH_CSRF_HEADER_NAME

The name of the header on an incoming request that should contain the CSRF double submit token.

Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.

Default: "X-CSRF-TOKEN"

Query String Options:

These are only applicable if a route is configured to accept JWTs via query string.

JWT_QUERY_STRING_NAME

What query string parameter should contain the JWT.

Default: "jwt"

JWT_QUERY_STRING_VALUE_PREFIX

An optional prefix string that should show up before the JWT in a query string parameter.

For example, if this was "Bearer ", the query string should look like "/endpoint?jwt=Bearer <JWT>"

Default: ""

JSON Body Options:

These are only applicable if a route is configured to accept JWTs via the JSON body.

JWT_JSON_KEY

What key should contain the access token in the JSON body of a request.

Default: "access_token"

JWT_REFRESH_JSON_KEY

What key should contain the refresh token in the JSON body of a request.

Default: "access_token"