Module for generating and verifying JSON Web Tokens.

• Note: From version 2.0.1 the namespace has changed from jwt to python_jwt, in order to avoid conflict with PyJWT.
• Note: Versions 1.0.0 and later fix a vulnerability in JSON Web Token verification so please upgrade if you're using this functionality. The API has changed so you will need to update your application. verify_jwt now requires you to specify which signature algorithms are allowed.
• Uses python-jws to do the heavy lifting.
• Supports RS256, RS384, RS512, PS256, PS384, PS512, HS256, HS384, HS512 and none signature algorithms.
• Unit tests, including tests for interoperability with node-jsjws.
• Supports Python 3.4. Note: generate_jwt returns the token as a Unicode string, even on Python 2.7.

Example:

import python_jwt as jwt, Crypto.PublicKey.RSA as RSA, datetime
key = RSA.generate(2048)
payload = { 'foo': 'bar', 'wup': 90 };
token = jwt.generate_jwt(payload, key, 'PS256', datetime.timedelta(minutes=5))
header, claims = jwt.verify_jwt(token, key, ['PS256'])
for k in payload: assert claims[k] == payload[k]

The API is described here.

pip install python_jwt

You can read and write keys from and to PEM-format strings:

import python_jwt as jwt, Crypto.PublicKey.RSA as RSA, datetime
key = RSA.generate(2048)
priv_pem = key.exportKey()
pub_pem = key.publickey().exportKey()
payload = { 'foo': 'bar', 'wup': 90 };
priv_key = RSA.importKey(priv_pem)
pub_key = RSA.importKey(pub_pem)
token = jwt.generate_jwt(payload, priv_key, 'RS256', datetime.timedelta(minutes=5))
header, claims = jwt.verify_jwt(token, pub_key, ['RS256'])
for k in payload: assert claims[k] == payload[k]

MIT

make test

make lint

make coverage

coverage.py results are available here.

Coveralls page is here.

make bench

Here are some results on a laptop with an Intel Core i5-3210M 2.5Ghz CPU and 6Gb RAM running Ubuntu 13.04.