Configuration Options¶

You can change many options for how this extension works via

app.config[OPTION_NAME] = new_options

General Options:¶

`JWT_TOKEN_LOCATION`	Where to look for a JWT when processing a request. The options are `'headers'`, `'cookies'`, `'query_string'`, or `'json'`. You can pass in a list to check more then one location, such as: `['headers', 'cookies']`. Defaults to `'headers'`
`JWT_ACCESS_TOKEN_EXPIRES`	How long an access token should live before it expires. This takes a `datetime.timedelta`, and defaults to 15 minutes. Can be set to `False` to disable expiration.
`JWT_REFRESH_TOKEN_EXPIRES`	How long a refresh token should live before it expires. This takes a `datetime.timedelta`, and defaults to 30 days. Can be set to `False` to disable expiration.
`JWT_ALGORITHM`	Which algorithm to sign the JWT with. See here for the options. Defaults to `'HS256'`.
`JWT_SECRET_KEY`	The secret key needed for symmetric based signing algorithms, such as `HS*`. If this is not set, we use the sanic `SECRET_KEY` value instead.
`JWT_PUBLIC_KEY`	The public key needed for asymmetric based signing algorithms, such as RS* or ES*. PEM format expected.
`JWT_PRIVATE_KEY`	The private key needed for asymmetric based signing algorithms, such as RS* or ES*. PEM format expected.
`JWT_IDENTITY_CLAIM`	Claim in the tokens that is used as source of identity. For interoperability, the JWT RFC recommends using `'sub'`. Defaults to `'identity'` for legacy reasons.
`JWT_USER_CLAIMS`	Claim in the tokens that is used to store user claims. Defaults to `'user_claims'`.
`JWT_CLAIMS_IN_REFRESH_TOKEN`	If user claims should be included in refresh tokens. Defaults to `False`.
`JWT_ERROR_MESSAGE_KEY`	The key of the error message in a JSON error response when using the default error handlers. Defaults to `'msg'`.
`RBAC_ENABLE`	Role-based access control (RBAC) enable option. Defaults to `False`

Header Options:¶

These are only applicable if JWT_TOKEN_LOCATION is set to use headers.

`JWT_HEADER_NAME`	What header to look for the JWT in a request. Defaults to `'Authorization'`
`JWT_HEADER_TYPE`	What type of header the JWT is in. Defaults to `'Bearer'`. This can be an empty string, in which case the header contains only the JWT (insead of something like `HeaderName: Bearer <JWT>`)