Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

python-jwt

Package Overview
Dependencies
Maintainers
1
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

python-jwt

Module for generating and verifying JSON Web Tokens

  • 4.1.0
  • PyPI
  • Socket score

Maintainers
1

python-jwt   Build Status Coverage Status PyPI version

Module for generating and verifying JSON Web Tokens.

All versions of python-jwt are now DEPRECATED. I don't have the time to maintain this module.

  • Note: Versions 3.3.4 and later fix a vulnerability (CVE-2022-39227) in JSON Web Token verification which lets an attacker with a valid token re-use its signature with modified claims. CVE to follow. Please upgrade!
  • Note: From version 2.0.1 the namespace has changed from jwt to python_jwt, in order to avoid conflict with PyJWT.
  • Note: Versions 1.0.0 and later fix a vulnerability in JSON Web Token verification so please upgrade if you're using this functionality. The API has changed so you will need to update your application. verify_jwt now requires you to specify which signature algorithms are allowed.
  • Uses jwcrypto to do the heavy lifting.
  • Supports RS256, RS384, RS512, PS256, PS384, PS512, HS256, HS384, HS512, ES256, ES384, ES512, ES256K, EdDSA and none signature algorithms.
  • Unit tests, including tests for interoperability with jose.
  • Supports Python 3.6+. Note: generate_jwt returns the token as a Unicode string.

Example:

import python_jwt as jwt, jwcrypto.jwk as jwk, datetime
key = jwk.JWK.generate(kty='RSA', size=2048)
payload = { 'foo': 'bar', 'wup': 90 };
token = jwt.generate_jwt(payload, key, 'PS256', datetime.timedelta(minutes=5))
header, claims = jwt.verify_jwt(token, key, ['PS256'])
for k in payload: assert claims[k] == payload[k]

The API is described here.

Installation

pip install python_jwt

Another Example

You can read and write keys from and to PEM-format strings:

import python_jwt as jwt, jwcrypto.jwk as jwk, datetime
key = jwk.JWK.generate(kty='RSA', size=2048)
priv_pem = key.export_to_pem(private_key=True, password=None)
pub_pem = key.export_to_pem()
payload = { 'foo': 'bar', 'wup': 90 };
priv_key = jwk.JWK.from_pem(priv_pem)
pub_key = jwk.JWK.from_pem(pub_pem)
token = jwt.generate_jwt(payload, priv_key, 'RS256', datetime.timedelta(minutes=5))
header, claims = jwt.verify_jwt(token, pub_key, ['RS256'])
for k in payload: assert claims[k] == payload[k]

Licence

MIT

Tests

make test

Lint

make lint

Code Coverage

make coverage

coverage.py results are available here.

Coveralls page is here.

Benchmarks

make bench

Here are some results on a laptop with an Intel Core i5-4300M 2.6Ghz CPU and 8Gb RAM running Ubuntu 17.04.

Generate Keyuser (ns)sys (ns)real (ns)
RSA103,100,000200,000103,341,537
Generate Tokenuser (ns)sys (ns)real (ns)
HS256220,0000226,478
HS384220,0000218,233
HS512230,0000225,823
PS2561,530,00010,0001,536,235
PS3841,550,00001,549,844
PS5121,520,00010,0001,524,844
RS2561,520,00010,0001,524,565
RS3841,530,00001,528,074
RS5121,510,00001,526,089
Load Keyuser (ns)sys (ns)real (ns)
RSA210,0003,000210,791
Verify Tokenuser (ns)sys (ns)real (ns)
HS256100,0000101,478
HS384100,00010,000103,014
HS512110,0000104,323
PS256230,0000231,058
PS384240,0000237,551
PS512240,0000232,450
RS256230,0000227,737
RS384230,0000230,698
RS512230,0000228,624

FAQs


Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc