Skip to main content


Project description

NOTE: This is an early version of the code is the library is likely to change.

This is a Pyramid authenitcation plugin for JSON Web Token (JWT) Authentication:

To access resources using JWT Access Authentication, the client must have obtained a JWT to make signed requests to the server. This library also makes JSON Web Tokens for the client. The Token can be opaque to client although, unless it is encrypted, the client can read the claims made in the token.

When accessing a protected resource, the server will generate a 401 challenge response with the scheme “JWT” as follows:

> GET /protected_resource HTTP/1.1
> Host:

< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: JWT

The client will use their JWT to build a request signature and include it in the Authorization header like so:

> GET /protected_resource HTTP/1.1
> Host:
> Authorization: JWT token=eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt

< HTTP/1.1 200 OK
< Content-Type: text/plain
< For your eyes only:  secret data!

(NB depending on the number of claims in the JWT the token can get large. For all practical purposes, it should be kept short.)

This plugin uses the PyJWT library for verifying JWTs:

Also see the library for generating the JWT for the client in the first place although any language can be used to generate it.


This module is heavily based on (and copied from) the Mozilla Services pyramid_macauth package and macauthlib package:

Without it, I would not have been able to make the small number of modifications to this package and get it to work with Pyramid.


This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at


  • Initial dev version 0.0.1.dev1.

Forked from version 0.4.0-dev1


Updated package requires to need PyJWT.


Updated package so that it can be downloaded for use by Python 3.3/3.4


Now works properly with RSA keys and fixed issue with not doing a 401 with the appropriate challenge. Dropped support for Python 2.6 and 3.2


Works with PyJWT 0.4.x (also unpinned). Contributions by (Wichert Akkerman <>) that enable the auth to use a ‘Bearer’ header rather than the custom header ‘JWT’.

Dropped support for Python 3.3 in tox, but it should still work fine.

Addition (from development) perspective of using Vagrant to develop and tox-test the package against python 2.7 and 3.4


Added ability to disable various checks via the PyJWT options{} in the decode() method. This is configured in the policy via the Pyramid setting system.


Merged PR#11 from Shadizzle to provide ability to configure ‘scheme’ from the INI file. Bumped version to 0.1.3.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for pyramid_jwtauth, version 0.1.3
Filename, size File type Python version Upload date Hashes
Filename, size pyramid_jwtauth-0.1.3.tar.gz (19.1 kB) File type Source Python version None Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Huawei Huawei PSF Sponsor Microsoft Microsoft PSF Sponsor NVIDIA NVIDIA PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page