/python-jwt

Python module for generating and verifying JSON Web Tokens

Primary LanguageHTMLMIT LicenseMIT

python-jwt   Build Status Coverage Status PyPI version

Module for generating and verifying JSON Web Tokens.

  • Note: Versions 1.0.0 and later fix a vulnerability in JSON Web Token verification so please upgrade if you're using this functionality. The API has changed so you will need to update your application. verify_jwt now requires you to specify which signature algorithms are allowed.
  • Uses python-jws to do the heavy lifting.
  • Supports RS256, RS384, RS512, PS256, PS384, PS512, HS256, HS384, HS512 and none signature algorithms.
  • Unit tests, including tests for interoperability with node-jsjws.
  • Tentative support for Python 3.4. Although the examples below work, the unit tests are blocked on PyVows and gevent support for Python 3.4. Note: verify_jwt now returns the token as a Unicode string, even on Python 2.7.

Example:

import jwt, Crypto.PublicKey.RSA as RSA, datetime
key = RSA.generate(2048)
payload = { 'foo': 'bar', 'wup': 90 };
token = jwt.generate_jwt(payload, key, 'PS256', datetime.timedelta(minutes=5))
header, claims = jwt.verify_jwt(token, key, ['PS256'])
for k in payload: assert claims[k] == payload[k]

The API is described here.

Installation

pip install python_jwt

Another Example

You can read and write keys from and to PEM-format strings:

import jwt, Crypto.PublicKey.RSA as RSA, datetime
key = RSA.generate(2048)
priv_pem = key.exportKey()
pub_pem = key.publickey().exportKey()
payload = { 'foo': 'bar', 'wup': 90 };
priv_key = RSA.importKey(priv_pem)
pub_key = RSA.importKey(pub_pem)
token = jwt.generate_jwt(payload, priv_key, 'RS256', datetime.timedelta(minutes=5))
header, claims = jwt.verify_jwt(token, pub_key, ['RS256'])
for k in payload: assert claims[k] == payload[k]

Licence

MIT

Tests

make test

Lint

make lint

Code Coverage

make coverage

coverage.py results are available here.

Coveralls page is here.

Benchmarks

make bench

Here are some results on a laptop with an Intel Core i5-3210M 2.5Ghz CPU and 6Gb RAM running Ubuntu 13.04.

Generate Key user (ns) sys (ns) real (ns)
RSA 152,700,000 300,000 152,906,095
Generate Token user (ns) sys (ns) real (ns)
HS256 140,000 10,000 157,202
HS384 160,000 10,000 156,403
HS512 139,999 20,000 153,212
PS256 3,159,999 49,999 3,218,649
PS384 3,170,000 10,000 3,176,899
PS512 3,120,000 9,999 3,141,219
RS256 3,070,000 20,000 3,094,644
RS384 3,090,000 0 3,092,471
RS512 3,079,999 20,000 3,095,314
Load Key user (ns) sys (ns) real (ns)
RSA 811,000 0 810,139
Verify Token user (ns) sys (ns) real (ns)
HS256 140,000 0 129,947
HS384 130,000 0 130,161
HS512 119,999 0 128,850
PS256 780,000 10,000 775,609
PS384 759,999 0 752,933
PS512 739,999 0 738,118
RS256 700,000 0 719,365
RS384 719,999 0 721,524
RS512 730,000 0 719,706