JSON Web Token implementation in Python
Project description
PyJWT [](https://travis-ci.org/progrium/pyjwt)
=====
A Python implementation of [JSON Web Token draft 01](http://self-issued.info/docs/draft-jones-json-web-token-01.html).
Installing
----------
sudo easy_install PyJWT
**Note**: The RSASSA-PKCS1-v1_5 algorithms depend on PyCrypto. If you plan on
using any of those algorithms you'll need to install it as well.
sudo easy_install PyCrypto
Usage
-----
import jwt
jwt.encode({"some": "payload"}, "secret")
Note the resulting JWT will not be encrypted, but verifiable with a secret key.
jwt.decode("someJWTstring", "secret")
If the secret is wrong, it will raise a `jwt.DecodeError` telling you as such.
You can still get the payload by setting the `verify` argument to `False`.
jwt.decode("someJWTstring", verify=False)
Algorithms
----------
The JWT spec supports several algorithms for cryptographic signing. This library
currently supports:
* HS256 - HMAC using SHA-256 hash algorithm (default)
* HS384 - HMAC using SHA-384 hash algorithm
* HS512 - HMAC using SHA-512 hash algorithm
* RS256 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-256 hash algorithm
* RS384 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-384 hash algorithm
* RS512 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-512 hash algorithm
Change the algorithm with by setting it in encode:
jwt.encode({"some": "payload"}, "secret", "HS512")
When using the RSASSA-PKCS1-v1_5 algorithms, the `key` argument in both
`jwt.encode()` and `jwt.decode()` (`"secret"` in the examples) is expected to
be an RSA private key as imported with `Crypto.PublicKey.RSA.importKey()`.
Tests
-----
You can run tests from the project root after cloning with:
python tests/test_jwt.py
Support of reserved claim names
-------------------------------
JSON Web Token defines some reserved claim names and defines how they should be
used. PyJWT supports these reserved claim names:
- "exp" (Expiration Time) Claim
Expiration Time Claim
=====================
From [draft 01 of the JWT spec](http://self-issued.info/docs/draft-jones-json-web-token-01.html#ReservedClaimName):
> The exp (expiration time) claim identifies the expiration time on or after
> which the JWT MUST NOT be accepted for processing. The processing of the exp
> claim requires that the current date/time MUST be before the expiration
> date/time listed in the exp claim. Implementers MAY provide for some small
> leeway, usually no more than a few minutes, to account for clock skew. Its
> value MUST be a number containing an IntDate value. Use of this claim is
> OPTIONAL.
You can pass the expiration time as a UTC UNIX timestamp (an int) or as a
datetime, which will be converted into an int. For example:
jwt.encode({"exp": 1371720939}, "secret")
jwt.encode({"exp": datetime.utcnow()}, "secret")
Expiration time is automatically verified in `jwt.decode()` and raises
`jwt.ExpiredSignature` if the expiration time is in the past:
import jwt
try:
jwt.decode('JWT_STRING', "secret")
except jwt.ExpiredSignature:
# Signature has expired
Expiration time will be compared to the current UTC time (as given by
`timegm(datetime.utcnow().utctimetuple())`), so be sure to use a UTC timestamp
or datetime in encoding.
You can turn off expiration time verification with the `verify_expiration` argument.
PyJWT also supports the leeway part of the expiration time definition, which
means you can validate a expiration time which is in the past but not very far.
For example, if you have a JWT payload with a expiration time set to 30 seconds
after creation but you know that sometimes you will process it after 30 seconds,
you can set a leeway of 10 seconds in order to have some margin:
import jwt, time
jwt_payload = jwt.encode({'exp': datetime.utcnow() + datetime.timedelta(seconds=30)}, 'secret')
time.sleep(32)
# Jwt payload is now expired
# But with some leeway, it will still validate
jwt.decode(jwt_payload, 'secret', leeway=10)
License
-------
MIT
=====
A Python implementation of [JSON Web Token draft 01](http://self-issued.info/docs/draft-jones-json-web-token-01.html).
Installing
----------
sudo easy_install PyJWT
**Note**: The RSASSA-PKCS1-v1_5 algorithms depend on PyCrypto. If you plan on
using any of those algorithms you'll need to install it as well.
sudo easy_install PyCrypto
Usage
-----
import jwt
jwt.encode({"some": "payload"}, "secret")
Note the resulting JWT will not be encrypted, but verifiable with a secret key.
jwt.decode("someJWTstring", "secret")
If the secret is wrong, it will raise a `jwt.DecodeError` telling you as such.
You can still get the payload by setting the `verify` argument to `False`.
jwt.decode("someJWTstring", verify=False)
Algorithms
----------
The JWT spec supports several algorithms for cryptographic signing. This library
currently supports:
* HS256 - HMAC using SHA-256 hash algorithm (default)
* HS384 - HMAC using SHA-384 hash algorithm
* HS512 - HMAC using SHA-512 hash algorithm
* RS256 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-256 hash algorithm
* RS384 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-384 hash algorithm
* RS512 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-512 hash algorithm
Change the algorithm with by setting it in encode:
jwt.encode({"some": "payload"}, "secret", "HS512")
When using the RSASSA-PKCS1-v1_5 algorithms, the `key` argument in both
`jwt.encode()` and `jwt.decode()` (`"secret"` in the examples) is expected to
be an RSA private key as imported with `Crypto.PublicKey.RSA.importKey()`.
Tests
-----
You can run tests from the project root after cloning with:
python tests/test_jwt.py
Support of reserved claim names
-------------------------------
JSON Web Token defines some reserved claim names and defines how they should be
used. PyJWT supports these reserved claim names:
- "exp" (Expiration Time) Claim
Expiration Time Claim
=====================
From [draft 01 of the JWT spec](http://self-issued.info/docs/draft-jones-json-web-token-01.html#ReservedClaimName):
> The exp (expiration time) claim identifies the expiration time on or after
> which the JWT MUST NOT be accepted for processing. The processing of the exp
> claim requires that the current date/time MUST be before the expiration
> date/time listed in the exp claim. Implementers MAY provide for some small
> leeway, usually no more than a few minutes, to account for clock skew. Its
> value MUST be a number containing an IntDate value. Use of this claim is
> OPTIONAL.
You can pass the expiration time as a UTC UNIX timestamp (an int) or as a
datetime, which will be converted into an int. For example:
jwt.encode({"exp": 1371720939}, "secret")
jwt.encode({"exp": datetime.utcnow()}, "secret")
Expiration time is automatically verified in `jwt.decode()` and raises
`jwt.ExpiredSignature` if the expiration time is in the past:
import jwt
try:
jwt.decode('JWT_STRING', "secret")
except jwt.ExpiredSignature:
# Signature has expired
Expiration time will be compared to the current UTC time (as given by
`timegm(datetime.utcnow().utctimetuple())`), so be sure to use a UTC timestamp
or datetime in encoding.
You can turn off expiration time verification with the `verify_expiration` argument.
PyJWT also supports the leeway part of the expiration time definition, which
means you can validate a expiration time which is in the past but not very far.
For example, if you have a JWT payload with a expiration time set to 30 seconds
after creation but you know that sometimes you will process it after 30 seconds,
you can set a leeway of 10 seconds in order to have some margin:
import jwt, time
jwt_payload = jwt.encode({'exp': datetime.utcnow() + datetime.timedelta(seconds=30)}, 'secret')
time.sleep(32)
# Jwt payload is now expired
# But with some leeway, it will still validate
jwt.decode(jwt_payload, 'secret', leeway=10)
License
-------
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
PyJWT-0.2.0.tar.gz
(6.2 kB
view details)
Built Distributions
PyJWT-0.2.0-py3.3.egg
(10.0 kB
view details)
PyJWT-0.2.0-py2.7.egg
(9.9 kB
view details)
PyJWT-0.2.0-py2.6.egg
(9.9 kB
view details)
File details
Details for the file PyJWT-0.2.0.tar.gz
.
File metadata
- Download URL: PyJWT-0.2.0.tar.gz
- Upload date:
- Size: 6.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 |
20dc8badec27be5d18328800923eaffc81186734a393fe94c29eac2c9bdf5633
|
|
MD5 |
eafb5c5b0c01d11c13f70382250c3e36
|
|
BLAKE2b-256 |
7d390f2e0b71101ac3d38c13918635de1328e2dc6db1cd63394a87c3b9e243e2
|
File details
Details for the file PyJWT-0.2.0-py3.3.egg
.
File metadata
- Download URL: PyJWT-0.2.0-py3.3.egg
- Upload date:
- Size: 10.0 kB
- Tags: Egg
- Uploaded using Trusted Publishing? No
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 |
2a8a3fe95004ba9e07b3523fd36ca08cc4188d9ec2b8953d90774ac77aefe902
|
|
MD5 |
dc0ce1be49d691d90ad037451887ece5
|
|
BLAKE2b-256 |
24c8616ba0e2559cc997930e3137aa82cb17d5cc7a3bdc1cc25e87c867ead21c
|
File details
Details for the file PyJWT-0.2.0-py2.7.egg
.
File metadata
- Download URL: PyJWT-0.2.0-py2.7.egg
- Upload date:
- Size: 9.9 kB
- Tags: Egg
- Uploaded using Trusted Publishing? No
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 |
abe2a7fd136ed40d8bd18e907802ae9477e6be3f94d73664bab99bf6bb290d72
|
|
MD5 |
42ed94275eb1d8a2f91333ac77f9adb2
|
|
BLAKE2b-256 |
2aeadc64a0e03186604ff7dd6d439865717db5335c1bc2de123821896272c0ec
|
File details
Details for the file PyJWT-0.2.0-py2.6.egg
.
File metadata
- Download URL: PyJWT-0.2.0-py2.6.egg
- Upload date:
- Size: 9.9 kB
- Tags: Egg
- Uploaded using Trusted Publishing? No
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 |
4d18c53a41e2411b74c76729f0d4661744f49646ef7d2dbc0cae2dcbe63ddd0f
|
|
MD5 |
e536673474316c0848c5f7cb7c204b4c
|
|
BLAKE2b-256 |
17f9e0195c533ccd5c061dcf77d40ab3196ed0382d6dbe5332370136e3abdc49
|