Latest Threat ResearchGlassWorm Loader Hits Open VSX via Developer Account Compromise.Details →

Book a Demo Install Sign in

python-jwt

Package Overview

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

python-jwt

Module for generating and verifying JSON Web Tokens

PyPI

Version: 3.3.4

Maintainers: 1

python-jwt

Module for generating and verifying JSON Web Tokens.

All versions of python-jwt are now DEPRECATED. I don't have the time to maintain this module.

Note: Versions 3.3.4 and later fix a vulnerability (CVE-2022-39227) in JSON Web Token verification which lets an attacker with a valid token re-use its signature with modified claims. CVE to follow. Please upgrade!
Note: From version 2.0.1 the namespace has changed from jwt to python_jwt, in order to avoid conflict with PyJWT.
Note: Versions 1.0.0 and later fix a vulnerability in JSON Web Token verification so please upgrade if you're using this functionality. The API has changed so you will need to update your application. verify_jwt now requires you to specify which signature algorithms are allowed.
Uses jwcrypto to do the heavy lifting.
Supports RS256, RS384, RS512, PS256, PS384, PS512, HS256, HS384, HS512, ES256, ES384, ES512, ES256K, EdDSA and none signature algorithms.
Unit tests, including tests for interoperability with jose.
Supports Python 3.6+. Note: generate_jwt returns the token as a Unicode string.

Example:

import python_jwt as jwt, jwcrypto.jwk as jwk, datetime
key = jwk.JWK.generate(kty='RSA', size=2048)
payload = { 'foo': 'bar', 'wup': 90 };
token = jwt.generate_jwt(payload, key, 'PS256', datetime.timedelta(minutes=5))
header, claims = jwt.verify_jwt(token, key, ['PS256'])
for k in payload: assert claims[k] == payload[k]

The API is described here.

Installation

pip install python_jwt

Another Example

You can read and write keys from and to PEM-format strings:

import python_jwt as jwt, jwcrypto.jwk as jwk, datetime
key = jwk.JWK.generate(kty='RSA', size=2048)
priv_pem = key.export_to_pem(private_key=True, password=None)
pub_pem = key.export_to_pem()
payload = { 'foo': 'bar', 'wup': 90 };
priv_key = jwk.JWK.from_pem(priv_pem)
pub_key = jwk.JWK.from_pem(pub_pem)
token = jwt.generate_jwt(payload, priv_key, 'RS256', datetime.timedelta(minutes=5))
header, claims = jwt.verify_jwt(token, pub_key, ['RS256'])
for k in payload: assert claims[k] == payload[k]

Licence

MIT

Tests

make test

Lint

make lint

Code Coverage

make coverage

coverage.py results are available here.

Coveralls page is here.

Benchmarks

make bench

Here are some results on a laptop with an Intel Core i5-4300M 2.6Ghz CPU and 8Gb RAM running Ubuntu 17.04.

Generate Key	user (ns)	sys (ns)	real (ns)
RSA	103,100,000	200,000	103,341,537

Generate Token	user (ns)	sys (ns)	real (ns)
HS256	220,000	0	226,478
HS384	220,000	0	218,233
HS512	230,000	0	225,823
PS256	1,530,000	10,000	1,536,235
PS384	1,550,000	0	1,549,844
PS512	1,520,000	10,000	1,524,844
RS256	1,520,000	10,000	1,524,565
RS384	1,530,000	0	1,528,074
RS512	1,510,000	0	1,526,089

Load Key	user (ns)	sys (ns)	real (ns)
RSA	210,000	3,000	210,791

Verify Token	user (ns)	sys (ns)	real (ns)
HS256	100,000	0	101,478
HS384	100,000	10,000	103,014
HS512	110,000	0	104,323
PS256	230,000	0	231,058
PS384	240,000	0	237,551
PS512	240,000	0	232,450
RS256	230,000	0	227,737
RS384	230,000	0	230,698
RS512	230,000	0	228,624

FAQs

What is python-jwt?

Is python-jwt well maintained?

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install