Django-graphql-jwt reads your configuration from a single Django setting named GRAPHQL_JWT:
GRAPHQL_JWT = {
"JWT_VERIFY_EXPIRATION": True,
"JWT_EXPIRATION_DELTA": timedelta(minutes=10),
}
Here's a list of settings available in django-graphql-jwt and their default values:
Algorithm for cryptographic signing
Default:
"HS256"
Identifies the recipients that the JWT is intended for
Default:
None
Identifies the principal that issued the JWT
Default:
None
Validate an expiration time which is in the past but not very far
Default:
timedelta(seconds=0)
The secret key used to sign the JWT
Default:
settings.SECRET_KEY
The RSA public key for RS256, RS384 or RS512 asymmetric algorithms.
JWT_SECRET_KEYsetting will be ignoredDefault:
None
The RSA private key for RS256, RS384 or RS512 asymmetric algorithms.
JWT_SECRET_KEYsetting will be ignoredDefault:
None
Secret key verification
Default:
True
A custom function to encode the token
.. autofunction:: graphql_jwt.utils.jwt_encode
A custom function to decode the token
.. autofunction:: graphql_jwt.utils.jwt_decode
A custom function to generate the token payload
.. autofunction:: graphql_jwt.utils.jwt_payload
A custom function to obtain the username:
lambda payload: payload.get(get_user_model().USERNAME_FIELD)
A custom function to get User object from username
.. autofunction:: graphql_jwt.utils.get_user_by_natural_key
Expiration time verification
Default:
False
Timedelta added to utcnow() to set the expiration time
Default:
timedelta(minutes=5)
Enable token refresh
Default:
True
Limit on token refresh
Default:
timedelta(days=7)
Enable long time running refresh token
Default:
False
The model to use to represent a refresh token
.. autoclass:: graphql_jwt.refresh_token.models.RefreshToken
Long running refresh token number of bytes
Default:
20
A new long running refresh token is being generated but replaces the existing database record and thus invalidates the previous long running refresh token.
Default:
False
A custom function to determine if refresh has expired
.. autofunction:: graphql_jwt.utils.refresh_has_expired
A custom function to retrieve a long time refresh token instance
.. autofunction:: graphql_jwt.refresh_token.utils.get_refresh_token_by_model
A custom function to determine the non-authentication per-field
.. autofunction:: graphql_jwt.middleware.allow_any
A list or tuple of Graphene classes that do not need authentication
Default:
()
Authorization header name
Default:
"HTTP_AUTHORIZATION"
Authorization header prefix
Default:
"JWT"
Allow per-argument authentication system
Default:
False
Argument name for per-argument authentication system
Default:
"token"
The name of the cookie when HTTP cookies are used as a valid transport for the token
Default:
"JWT"
The name of the cookie when HTTP cookies are used as a valid transport for the refresh token
Default:
"JWT-refresh-token"
Whether to use a secure cookie for the JWT cookie. If this is set to True, the cookie will be marked as "secure", which means browsers may ensure that the cookie is only sent under an HTTPS connection
Default:
False
Document location for the cookie
Default:
"/"
Use domain if you want to set a cross-domain cookie
Default:
None
Use 'Strict' or 'Lax' to tell the browser not to send the JWT cookie when performing a cross-origin request (Django ≥ 2.1 required)
Use 'None' (string) to explicitly state that the JWT cookie is sent with all same-site and cross-site requests (Django ≥ 3.1 required)
Default:
None
For cookie-based authentications, remove the token fields from the GraphQL schema in order to prevent XSS exploitation
Default:
False
Rotate CSRF tokens each time a token or refresh token is issued
Default:
False