← Back to Lessons
Edit on Github

Understanding JWT and how to implement a simple JWT with Flask

📹 Here is a video explaining the JWT authentication implementation using React.js, Context API and Python Flask.

Almost every API needs an authentication layer, and there are many ways to tackle that problem, today we are going to be implementing JWT token into our Flask API.

How API Authentication works

You can divide a standard authentication process in 5 main steps:

  1. The user writes its username and password on your website.
  2. The username and password gets sent to the backend API.
  3. The API looks for any record on the User table that matches with both parameters at the same time (username and password).
  4. If a user is found, it generates a token for that user and responds status_code=200 back to the front end.
  5. The front-end will use that token from now on to make any future request.

Autentication workflow

☝ If you don't know what a token is, I would recomend this reading.

What is JWT?

There are many ways to create tokens: Basic, Bearer, JWT, etc. All of them are different in its nature but all of them result in the same output: A hash (a big alphanumeric token).

Type of tokenHow it looks
Basic Tokenecff2099b95ed507a27a4717ec78965d529cc346
Bearer TokenYWxlc2FuY2hlenI6NzE0YmZhNDNlN2MzMTJiZTk5OWQwYWZlYTg5MTQ4ZTc=
JWT TokeneyJhbGciOiJIUzI1NiIsInR5c.eyJzdWIiOFt2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpM

☝ As you can see, JWT Tokens are bigger than the other two types of token.

JSON Web Token or JWT is an open standard to create tokens

This standard has become quite popular since it's very effective for Web Apps like Google APIs, where after the user authentication you make API requests.

JSON Web Token is a type of token that includes a structure, which can be decrypted by the server that allows you to authenticate the identity of the user of that application.

Why using JWT Token?

In a nutshell: JWT is an amazing alternative because Basic Token is to simple and easy to hack and Bearer Token it's harder to maintain because you have to store each token on the database.

With JWT Tokens you don't need a database, the token itself contains all the information needed.

Autentication workflow

Structure of the JWT Token

Autentication workflow

You may notice that the string is divided in three sections separated by a (.). Each section has it meaning:

Section name
HEADERThe first part stores the type of token and the encryption algorithm
PAYLOADThe second part has the data that identifies the user: it can be its ID, user name, etc.
SIGNATUREDigital signature, which is generated with the previous two sections, and it allows you to verify if the content has been modified.

Implementing JWT in your project API

We strongly recomend using JWT Extended library to implement JWT autentication in your Python Flask API, the process can be divided in the following steps:

1) Include the JWT library in your Flask App setup

from flask_jwt_extended import JWTManager # you must already have this line in your project # you don't have to add it again. app = Flask(__name__) # Setup the Flask-JWT-Extended extension app.config["JWT_SECRET_KEY"] = "super-secret" # Change this "super secret" with something else! jwt = JWTManager(app)

2) Create one endpoint for generating new tokens

The endpoint should be a POST because you are creating tokens (POST is for creation).

POST /token Content-type: application/json Body: { "username": "alesanchezr", "password": "12341234" }

This is how the endpoint could look like in Python:

from flask_jwt_extended import create_access_token # Create a route to authenticate your users and return JWT Token. The # create_access_token() function is used to actually generate the JWT. @app.route("/token", methods=["POST"]) def create_token(): username = request.json.get("username", None) password = request.json.get("password", None) # Query your database for username and password user = User.query.filter_by(username=username, password=password).first() if user is None: # the user was not found on the database return jsonify({"msg": "Bad username or password"}), 401 # create a new token with the user id inside access_token = create_access_token(identity=user.id) return jsonify({ "token": access_token, "user_id": user.id })

3) Use the @jwt_required() decorator on private routes

Now... any endpoint that requires authorization (private endpoints) should use the @jwt_required() decorator.

You will be able to retrieve the authenticated user information (if valid) using the get_jwt_identity function.

from flask_jwt_extended import jwt_required, get_jwt_identity # Protect a route with jwt_required, which will kick out requests # without a valid JWT present. @app.route("/protected", methods=["GET"]) @jwt_required() def protected(): # Access the identity of the current user with get_jwt_identity current_user_id = get_jwt_identity() user = User.query.get(current_user_id) return jsonify({"id": user.id, "username": user.username }), 200

Implementing JWT in your project Front-End

On the front-end side we need two main steps: Creating a new token (a.k.a: login) and appending the token to the headers when fetching any other private endpoints.

Create new token:

Based on the endpoints we build on earlier we have to POST /token with the username and password information in the request body.

const login = async (username, password) => { const resp = await fetch(`https://your_api.com/token`, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ username: "joe", password: "1234" }) }) if(!resp.ok) throw Error("There was a problem in the login request") if(resp.status === 401){ throw("Invalid credentials") } else if(resp.status === 400){ throw ("Invalid email or password format") } const data = await resp.json() // save your token in the localStorage //also you should set your user into the store using the setStore function localStorage.setItem("jwt-token", data.token); return data }

Fetch any private information

Let's suppose I am using the front-end application and I just logged in, but now I want to fech some private or protected endpoint:

// assuming "/protected" is a private endpoint const getMyTasks = await (username, password) => { // retrieve token form localStorage const token = localStorage.getItem('jwt-token'); const resp = await fetch(`https://your_api.com/protected`, { method: 'GET', headers: { "Content-Type": "application/json" 'Authorization': 'Bearer '+token // ⬅⬅⬅ authorization token } }) if(!resp.ok) throw Error("There was a problem in the login request") else if(resp.status === 403){ throw Error("Missing or invalid token"); } else{ throw Error('Uknon error'); } const data = await resp.json(); console.log("This is the data you requested", data); return data }

That is it! As you can see it's very simple to integrate JWT into your application using Flask/Python, just three steps on the backend and two steps on the front-ent. For any questions you can contact me on twitter @alesanchezr or use the #public-support channel on 4Geeks Academy's Slack community.

Subscribe for more!






The most efficient way to learn: Join a cohort with classmates like yourself, live streamings, coding jam sessions, live mentorships with real experts and keep the motivation.


From zero to getting paid as a developer, learn the skills of the present and future. Boost your professional career and get hired by a tech company.


Start a career in data science and analytics. A hands-on approach with interactive exercises, chat support, and access to mentorships.


Keep your motivation with this 30 day challenge. Join hundreds of other developers coding a little every day.


Start with Python and Data Science, Machine Learning, Deep Learning and maintaining a production environment in A.I.

©4Geeks Academy LLC 2019

Privacy policies

Cookies policies

Terms & Conditions