Skip to main content

Django app that uses JWT to manage one-time and expiring links to protected URLs.

Project description


Django app that uses JWT to manage one-time and expiring tokens to protected URLs.


Use Cases

This library supports three core use cases, each of which is modelled using the login_mode attribute of a request token:

  1. Public link with payload
  2. Single authenticated request
  3. Auto-login

Public Link (login_mode==RequestToken.LOGIN_MODE_NONE)

In this mode (the default for a new token), there is no authentication, and no assigned user (‘aud’ claim). The token is used as a mechanism for attaching a payload to the link. An example of this might be a custom registration or affiliate link, that renders the standard template with additional information extracted from the token - e.g. the name of the affiliate, or the person who invited you to register.

Single Request (login_mode==RequestToken.LOGIN_MODE_REQUEST)

In Request mode, the request.user property is overridden by the user specified in the token, but only for a single request. This is useful for responding to a single action (e.g. RSVP, unsubscribe). If the user then navigates onto another page on the site, they will not be authenticated. If the user is already authenticated, but as a different user to the one in the token, then they will receive a 403 response.

Auto-login (login_mode==RequestToken.LOGIN_MODE_SESSION)

This is the nuclear option, and must be treated with extreme care. Using a Session token will automatically log the user in for an entire session, giving the user who clicks on the link full access the token user’s account. This is useful for automatic logins. A good example of this is the email login process on, which takes an email address (no password) and sends out a login link.

Session tokens must be single-use, and have a fixed expiry of one minute.



  • RequestToken model - hold token details
  • Middleware - decodes and verifies tokens
  • Decorator - applies token permissions to views



The default querystring argument name used to extract the token from incoming requests.

String, defaults to token


Session tokens have a fixed expiry interval (i.e. you can’t set a Session token to expire in a day), specified in minutes. The primary use case (above) dictates that the expiry should be no longer than it takes to receive and open an email.

Integer, defaults to 1 (minute).










@jpadilla for PyJWT

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for django-jwt-expiringlinks, version 0.2.0-dev
Filename, size File type Python version Upload date Hashes
Filename, size django-jwt-expiringlinks-0.2.0-dev.tar.gz (14.4 kB) File type Source Python version None Upload date Hashes View hashes

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page