Python JWT introduction and use

JWT introduction

​ jwt (JSON Web Tokens) is a developed industry standard RFC 7519, which is used to securely express the statement between the two parties. At present, jwt is widely used in the user authentication of the system, especially in the front-end and back-end separation projects.

​jwt certification process:

In project development, authentication is generally performed according to the process shown in the figure above, that is: after the user logs in successfully, the server returns a token to the user browser, and the user browser needs to carry the token before sending a request to the server. Verify the legitimacy of the token, show the data to the user if it is legal, otherwise, return some error messages

What is the difference between traditional token method and jwt in terms of authentication?

Traditional token method

After the user logs in successfully, the server generates a random token to the user, and saves a token in the server (database or cache). Later, the user needs to carry the token when visiting again. After the server receives the token, it goes to the database or cache Check whether the token is timed out and legal

jwt way

After the user logs in successfully, the server generates a random token to the user through jwt (the server does not need to keep the token), and the user needs to carry the token when visiting again. After the server receives the token, the jwt verifies whether the token is timed out or not. legitimate

JWT create token

JWT generation principle

The format of the generated token of jwt is as follows, consisting of three strings connected by.


The generation rules are as follows

  • The HEADER part of the first paragraph always contains the algorithm and token type, and base64url encrypts this json
"alg": "HS256",
"typ": "JWT"
  • The second paragraph PAYLOAD part contains some data, this json is base64url encrypted
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
  • In the SIGNATURE part of the third paragraph, the base64url ciphertext of the first two paragraphs is spliced together, and then HS256 is encrypted, and then the hs256 ciphertext is encrypted by base64url.
		base64UrlEncode(header) + "." + base64UrlEncode(payload),
	your-256-bit-secret (Secret key plus salt)

Finally, the three strings are joined by. To generate the jwt token

Note: base64url encryption is to do base64 encryption first, and then replace-with + and _ with /

Principle of JWT verification token

Generally, after the authentication is successful, the token generated by jwt is returned to the user, and the user needs to carry the token when accessing again in the future. At this time, jwt needs to perform a timeout and legality check on the token.

After obtaining the token, it will be verified according to the following steps

  • Split the token into three parts: header_segment, payload_segment, crypto_segment

signing_input, crypto_segment = JWT_TOKEN.rsplit('.', 1)
header_segment, payload_segment = signing_input.split('.', 1)
  • Decrypt the first part of header_segment with base64url to get the header
  • Decrypt the second part of payload_segment with base64url to get the payload
  • Decrypt the third part of crypto_segment with base64url to get the signature, and verify the validity of the signature part of the data
    • Splice the first two ciphertexts to get signing_input
    • Obtain the encryption algorithm from the first paragraph of plaintext, the default is HS256
    • Use algorithm + salt to encrypt signing_input, and compare the result with the signature ciphertext

Sample code

Create jwt token based on Python’s pyjwt module


pip3 install pyjwt


from datetime import datetime, timedelta

import jwt

class JwtToken(object):

    _salt = "@^4_00wedv**pi)+(!w1rwi=d3q4l=ie=g-u$s8jevmj*zgg2h" 

    _expire_message = dict(code=1200, msg="token has expired")

    _unknown_error_message = dict(code=4200, msg="token parsing failed")

    def generate_token(cls, payload: dict) -> str:
        headers = dict(typ="jwt", alg="HS256")
        resut = jwt.encode(payload=payload, key=cls._salt, algorithm="HS256", headers=headers)
        return resut

    def parse_token(cls, token: str) -> tuple:
        verify_status = False
            payload_data = jwt.decode(token, cls._salt, algorithms=['HS256'])
            verify_status = True
        except jwt.ExpiredSignatureError:
            payload_data = cls._expire_message
        except Exception as _err:
            payload_data = cls._unknown_error_message
        return verify_status, payload_data

if __name__ == '__main__':
    TEST_DATA = dict(name="mooor", exp=datetime.utcnow() - timedelta(seconds=1))
    token = JwtToken.generate_token(TEST_DATA)
    payload = JwtToken.parse_token(token)

Expiration time will be compared to the current UTC time (as given by timegm(datetime.utcnow().utctimetuple())), so be sure to use a UTC timestamp or datetime in encoding

Parameter introduction

Sample code

import jwt
import datetime

dic = {
    'exp': datetime.datetime.utcnow() + datetime.timedelta(days=1),  # expire date
    'iat': datetime.datetime.utcnow(),  #  Starting time
    'iss': 'ChaosMoor',                 #  signature
    'data': {                           #  Content, generally store the user id and start time
        'a': 1,
        'b': 2,

token = jwt.encode(dic, 'secret', algorithm='HS256')                            # Encrypted string

payload = jwt.decode(token, 'secret', issuer='lianzong', algorithms=['HS256'])  # Decrypt and verify signature

dic has an officially designated key, and the program will judge whether it is legal according to the value of the key when decrypting. These keys have

  • “exp”: When generating a token, you can set the validity time of the token. If we set an expiration of 1 day, we will throw out the token after we parse the token after 1 day
jwt.exceptions.ExpiredSignatureError: Signature has expired
  • “nbf”: It refers to the effective time of the token, if it is used but the effective time is not reached, it will be thrown
jwt.exceptions.ImmatureSignatureError: The token is not yet valid (nbf)
  • “iss”: The issuer of the token, we can give him a string. Note that there is no problem if is not checked when receiving, if we need to check when receiving but the signatures are inconsistent, it will be thrown
jwt.exceptions.InvalidIssuerError: Invalid issuer
  • “aud”: The receiver is specified. When receiving, the receiver must provide the receiver (string) that is consistent with the token requirement. If the receiver is not written or the receiver is inconsistent, it will be thrown
jwt.exceptions.InvalidAudienceError: Invalid audience
  • “iat”: the start time of the token, if the current time is before the start time, it will be thrown
jwt.exceptions.InvalidIssuedAtError: Issued At claim (iat) cannot be in the future.

Leave a Reply