Configuration Options

You can change many options for this extension works via Flask’s Configuration Handling. For example:

app.config["OPTION_NAME"] = option_value

General Options:

JWT_TOKEN_LOCATION

Where to look for a JWT when processing a request. The available options are "headers", "cookies", "query_string", and "json".

You can pass in a list to check more then one location, for example ["headers", "cookies"]. The order of the list sets the precedence of where JWTs will be looked for.

This can be overriden on a per-route basis by using the locations argument in flask_jwt_extended.jwt_required().

Default: "headers"

JWT_ACCESS_TOKEN_EXPIRES

How long an access token should be valid before it expires. This can be a datetime.timedelta, dateutil.relativedelta, or a number of seconds (Integer).

If set to False tokens will never expire. This is dangerous and should be avoided in most case

This can be overridden on a per token basis by passing the expires_delta argument to flask_jwt_extended.create_access_token()

Default: datetime.timedelta(minutes=15)

JWT_REFRESH_TOKEN_EXPIRES

How long an access token should be valid before it expires. This can be a datetime.timedelta, dateutil.relativedelta, or a number of seconds (Integer).

If set to False tokens will never expire. This is dangerous and should be avoided in most case

This can be overridden on a per token basis by passing the expires_delta argument to flask_jwt_extended.create_refresh_token()

Default: datetime.timedelta(days=30)

JWT_ALGORITHM

Which algorithm to sign the JWT with. See PyJWT for the available algorightms.

Default: "HS256"

JWT_DECODE_ALGORITHMS

Which algorithms to use when decoding a JWT. See PyJWT for the available algorightms.

By default this will always be the same algorithm that is defined in JWT_ALGORITHM.

Default: ["HS256"]

JWT_SECRET_KEY

The secret key used to encode and decode JWTs when using a symmetric signing algorightm (such as HS*). It should be a long random string of bytes, although unicode is accepted too. For example, copy the output of this to your config.

$ python -c 'import os; print(os.urandom(16))'
b'_5#y2L"F4Q8z\n\xec]/'

If this value is not set, Flask’s SECRET_KEY is used instead.

Do not reveal the secret key when posting questions or committing code.

Default: None

JWT_PRIVATE_KEY

The secret key used to encode JWTs when using an asymmetric signing algorightm (such as RS* or ES*). The key must be in PEM format.

Do not reveal the secret key when posting questions or committing code.

Default: None

JWT_PUBLIC_KEY

The secret key used to decode JWTs when using an asymmetric signing algorightm (such as RS* or ES*). The key must be in PEM format.

Default: None

JWT_DECODE_AUDIENCE

The string or list of audiences (aud) expected in a JWT when decoding it.

Default: None

JWT_ENCODE_AUDIENCE

The string or list of audiences (aud) for created JWTs.

Default: None

JWT_DECODE_ISSUER

The issuer (iss) you expect in a JWT when decoding it.

Default: None

JWT_ENCODE_ISSUER

The issuer (iss) for created JWTs.

Default: None

JWT_ENCODE_NBF

The not before (nbf) claim which defines that a JWT MUST NOT be accepted for processing during decode.

Default: True

JWT_DECODE_LEEWAY

The number of seconds a token will be considered valid before the Not Before Time (nbf) and after the Expires Time (`exp). This can be useful when dealing with clock drift between clients.

Default: 0

JWT_IDENTITY_CLAIM

The claim in a JWT that is used as the source of identity.

Default: "sub"

JWT_ERROR_MESSAGE_KEY

The key for error messages in a JSON response returned by this extension.

Default: "msg"

Header Options:

These are only applicable if a route is configured to accept JWTs via headers.

JWT_HEADER_NAME

What header should contain the JWT in a request

Default: "Authorization"

JWT_HEADER_TYPE

What type of header the JWT is in. If this is an empty string, the header should contain nothing besides the JWT.

Default: "Bearer"

Cross Site Request Forgery Options

These are only applicable if a route is configured to accept JWTs via cookies and JWT_COOKIE_CSRF_PROTECT is True.

JWT_CSRF_METHODS

A list of HTTP methods that we should do CSRF checks on.

Default: ["POST", "PUT", "PATCH", "DELETE"]

JWT_ACCESS_CSRF_HEADER_NAME

The name of the header on an incoming request that should contain the CSRF double submit token.

Default: "X-CSRF-TOKEN"

JWT_REFRESH_CSRF_HEADER_NAME

The name of the header on an incoming request that should contain the CSRF double submit token.

Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.

Default: "X-CSRF-TOKEN"

JWT_CSRF_IN_COOKIES

Controls if the CSRF double submit token will be stored in additional cookies. If setting this to False, you can use flask_jwt_extended.get_csrf_token() to get the csrf token from an encoded JWT, and return it to your frontend in whatever way suites your application.

Default: True

The name of the cookie that contains the CSRF double submit token. Only applicable if JWT_CSRF_IN_COOKIES is True

Default: csrf_access_token

The name of the cookie that contains the CSRF double submit token. Only applicable if JWT_CSRF_IN_COOKIES is True

Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.

Default: csrf_refresh_token

The path of the access CSRF double submit cookie.

Default: "/"

The path of the refresh CSRF double submit cookie.

Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.

Default: "/"

JWT_CSRF_CHECK_FORM

Controls if form data should also be check for the CSRF double submit token.

Default: False

JWT_ACCESS_CSRF_FIELD_NAME

Name of the form field that should contain the CSRF double submit token for an access token. Only applicable if JWT_CSRF_CHECK_FORM is True

Default: "csrf_token"

JWT_REFRESH_CSRF_FIELD_NAME

Name of the form field that should contain the CSRF double submit token for a refresh token. Only applicable if JWT_CSRF_CHECK_FORM is True

Note: We generally do not recommend using refresh tokens with cookies. See Implicit Refreshing With Cookies.

Default: "csrf_token"

Query String Options:

These are only applicable if a route is configured to accept JWTs via query string.

JWT_QUERY_STRING_NAME

What query string parameter should contain the JWT.

Default: "jwt"

JWT_QUERY_STRING_VALUE_PREFIX

An optional prefix string that should show up before the JWT in a query string parameter.

For example, if this was "Bearer ", the query string should look like "/endpoint?jwt=Bearer <JWT>"

Default: ""

JSON Body Options:

These are only applicable if a route is configured to accept JWTs via the JSON body.

JWT_JSON_KEY

What key should contain the access token in the JSON body of a request.

Default: "access_token"

JWT_REFRESH_JSON_KEY

What key should contain the refresh token in the JSON body of a request.

Default: "access_token"