API Documentation

In here you will find the API for everything exposed in this extension.

Sanic-JWT-Extended

class sanic_jwt_extended.JWTManager(app: sanic.app.Sanic)[source]

An object used to hold JWT settings for the Sanic-JWT-Extended extension. Instances of JWTManger are not bound to specific apps, so you can create one in the main body of your code and then bind it to your app in a factory function.

__init__(app: sanic.app.Sanic)[source]

Create the JWTManager instance. You can either pass a sanic application in directly here to register this extension with the sanic app, or you can call init_app after creating this object (in a factory pattern). :param app: A sanic application

init_app(app: sanic.app.Sanic)[source]

Register this extension with the sanic app. :param app: A sanic application

Protected endpoint decorators

sanic_jwt_extended.jwt_required(function=None, allow=None, deny=None)[source]

A decorator to protect a Sanic endpoint. If you decorate an endpoint with this, it will ensure that the requester has a valid access token before allowing the endpoint to be called. and if token check passed this will insert Token object to kwargs, This does not check the freshness of the access token. See also: fresh_jwt_required()

sanic_jwt_extended.jwt_refresh_token_required(fn)[source]

A decorator to protect a Sanic endpoint. If you decorate an endpoint with this, it will ensure that the requester has a valid refresh token before allowing the endpoint to be called.

sanic_jwt_extended.fresh_jwt_required(function=None, allow=None, deny=None)[source]

A decorator to protect a Sanic endpoint. If you decorate an endpoint with this, it will ensure that the requester has a valid and fresh access token before allowing the endpoint to be called. See also: jwt_required()

sanic_jwt_extended.jwt_optional(fn)[source]

A decorator to optionally protect a Sanic endpoint If an access token in present in the request, this will insert filled Token object to kwargs. If no access token is present in the request, this will insert Empty Token object to kwargs If there is an invalid access token in the request (expired, tampered with, etc), this will still call the appropriate error handler instead of allowing the endpoint to be called as if there is no access token in the request. and also does not check role

Verify Tokens in Request

These perform the same actions as the protected endpoint decorators, without actually decorating a function. These are very useful if you want to create your own decorators on top of sanic jwt extended (such as role_required), or

sanic_jwt_extended.decorators.get_jwt_data_in_request_header(app: sanic.app.Sanic, request: sanic.request.Request) → Dict[source]

Get JWT token data from request header with configuration. raise NoAuthorizationHeaderError when no jwt header. also raise InvalidHeaderError when malformed jwt header detected.

Parameters:
  • app – A Sanic application
  • request – Sanic request object that contains app
Returns:

Dictionary containing contents of the JWT

sanic_jwt_extended.decorators.verify_jwt_data_type(token_data: dict, token_type: str) → None[source]

Check jwt type with given argument. raise WrongTokenError if token type is not expected type,

Parameters:
  • token_data – Dictionary containing contents of the JWT
  • token_type – Token type that want to check (ex: access)

Utilities

sanic_jwt_extended.create_access_token(app, identity, user_claims=None, role=None, fresh=False, expires_delta=None)[source]

Create a new access token.

Parameters:
  • app – A Sanic application from request object
  • identity – The identity of this token, which can be any data that is json serializable. It can also be a python object
  • user_claims – User made claims that will be added to this token. it should be dictionary.
  • role – A role field for RBAC
  • fresh – If this token should be marked as fresh, and can thus access fresh_jwt_required() endpoints. Defaults to False. This value can also be a datetime.timedelta in which case it will indicate how long this token will be considered fresh.
  • expires_delta – A datetime.timedelta for how long this token should last before it expires. Set to False to disable expiration. If this is None, it will use the ‘JWT_ACCESS_TOKEN_EXPIRES` config value
Returns:

An encoded access token

sanic_jwt_extended.create_refresh_token(app, identity, user_claims=None, expires_delta=None)[source]

Create a new refresh token.

Parameters:
  • app – A Sanic application from request object
  • identity – The identity of this token, which can be any data that is json serializable. It can also be a python object
  • user_claims – User made claims that will be added to this token. it should be dictionary.
  • expires_delta – A datetime.timedelta for how long this token should last before it expires. Set to False to disable expiration. If this is None, it will use the ‘JWT_REFRESH_TOKEN_EXPIRES` config value
Returns:

An encoded access token

sanic_jwt_extended.tokens.encode_access_token(identity: str, secret: str, algorithm: str, expires_delta: datetime.timedelta, fresh: Union[datetime.timedelta, bool], user_claims: dict, role: str, identity_claim_key: str, user_claims_key: str, json_encoder: Callable[..., str] = None) → str[source]

Creates a new encoded (utf-8) access token. :param identity: Identifier for who this token is for (ex, username). This

data must be json serializable
Parameters:
  • secret – Secret key to encode the JWT with
  • algorithm – Which algorithm to encode this JWT with
  • expires_delta (datetime.timedelta or False) – How far in the future this token should expire (set to False to disable expiration)
  • fresh – If this should be a ‘fresh’ token or not. If a datetime.timedelta is given this will indicate how long this token will remain fresh.
  • user_claims – Custom claims to include in this token. This data must be json serializable
  • role – A role field for RBAC
  • identity_claim_key – Which key should be used to store the identity
  • user_claims_key – Which key should be used to store the user claims
  • json_encoder – json encoder
Returns:

Encoded access token

sanic_jwt_extended.tokens.encode_refresh_token(identity, secret, algorithm, expires_delta, user_claims, identity_claim_key, user_claims_key, json_encoder=None)[source]

Creates a new encoded (utf-8) refresh token.

Parameters:
  • identity – Some identifier used to identify the owner of this token
  • secret – Secret key to encode the JWT with
  • algorithm – Which algorithm to use for the toek
  • expires_delta (datetime.timedelta or False) – How far in the future this token should expire (set to False to disable expiration)
  • user_claims – Custom claims to include in this token. This data must be json serializable
  • identity_claim_key – Which key should be used to store the identity
  • user_claims_key – Which key should be used to store the user claims
  • json_encoder – json encoder
Returns:

Encoded refresh token

sanic_jwt_extended.tokens.decode_jwt(encoded_token: str, secret: str, algorithm: str, identity_claim_key: str, user_claims_key: str) → Dict[source]

Decodes an encoded JWT

Parameters:
  • encoded_token – The encoded JWT string to decode
  • secret – Secret key used to encode the JWT
  • algorithm – Algorithm used to encode the JWT
  • identity_claim_key – expected key that contains the identity
  • user_claims_key – expected key that contains the user claims
Returns:

Dictionary containing contents of the JWT

Token Object

class sanic_jwt_extended.tokens.Token(app: sanic.app.Sanic, token: dict)[source]

Token object that contains decoded token data and passed with kwargs to endpoint function

raw_jwt
Returns:full jwt data in dictionary form
jwt_identity
Returns:jwt identity claim data (or this can be None if data does not exist)
jwt_user_claims
Returns:user claim data
jti
Returns:jti data