API Documentation
In here you will find the API for everything exposed in this extension.
Configuring FastAPI JWT Auth¶
- load_config(callback)
-
This decorator sets the callback function to overwrite state on AuthJWT class so when you initialize an instance in dependency injection default value will be overwritten.
Hint: The callback must be a function that returns a list of tuple or pydantic object.
- token_in_denylist_loader(callback)
-
This decorator sets the callback function that will be called when a protected endpoint is accessed and will check if the JWT has been revoked. By default, this callback is not used.
Hint: The callback must be a function that takes
one
argument, which is the decoded JWT (python dictionary), and returnsTrue
if the token has been revoked, orFalse
otherwise.
Protected Endpoint¶
- jwt_required(auth_from="request", token=None, websocket=None, csrf_token=None)
-
If you call this function, it will ensure that the requester has a valid access token before executing the code below your router. This does not check the freshness of the access token.
- Parameters:
- auth_from: For identity get token from HTTP or WebSocket
- token: The encoded JWT, it's required if the protected endpoint use WebSocket to authorization and get token from Query Url or Path
- websocket: An instance of WebSocket, it's required if protected endpoint use a cookie to authorization
- csrf_token: The CSRF double submit token. Since WebSocket cannot add specifying additional headers its must be passing csrf_token manually and can achieve by Query Url or Path
- Returns: None
- Parameters:
- jwt_optional(auth_from="request", token=None, websocket=None, csrf_token=None)
-
If an access token present in the request, this will call the endpoint with
get_jwt_identity()
having the identity of the access token. If no access token is present in the request, this endpoint will still be called, butget_jwt_identity()
will return None instead.If there is an invalid access token in the request (expired, tampered with, etc), this will still call the appropriate error handler.
- Parameters:
- auth_from: For identity get token from HTTP or WebSocket
- token: The encoded JWT, it's required if the protected endpoint use WebSocket to authorization and get token from Query Url or Path
- websocket: An instance of WebSocket, it's required if protected endpoint use a cookie to authorization
- csrf_token: The CSRF double submit token. Since WebSocket cannot add specifying additional headers its must be passing csrf_token manually and can achieve by Query Url or Path
- Returns: None
- Parameters:
- jwt_refresh_token_required(auth_from="request", token=None, websocket=None, csrf_token=None)
-
If you call this function, it will ensure that the requester has a valid refresh token before executing the code below your router.
- Parameters:
- auth_from: For identity get token from HTTP or WebSocket
- token: The encoded JWT, it's required if the protected endpoint use WebSocket to authorization and get token from Query Url or Path
- websocket: An instance of WebSocket, it's required if protected endpoint use a cookie to authorization
- csrf_token: The CSRF double submit token. Since WebSocket cannot add specifying additional headers its must be passing csrf_token manually and can achieve by Query Url or Path
- Returns: None
- Parameters:
- fresh_jwt_required(auth_from="request", token=None, websocket=None, csrf_token=None)
-
If you call this function, it will ensure that the requester has a valid and fresh access token before executing the code below your router.
- Parameters:
- auth_from: For identity get token from HTTP or WebSocket
- token: The encoded JWT, it's required if the protected endpoint use WebSocket to authorization and get token from Query Url or Path
- websocket: An instance of WebSocket, it's required if protected endpoint use a cookie to authorization
- csrf_token: The CSRF double submit token. Since WebSocket cannot add specifying additional headers its must be passing csrf_token manually and can achieve by Query Url or Path
- Returns: None
- Parameters:
Utilities¶
- create_access_token(subject, fresh=False, algorithm=None, headers=None, expires_time=None, audience=None, user_claims={})
-
Create a new access token.
- Parameters:
- subject: Identifier for who this token is for example id or username from database
- fresh: Identify token is fresh or non-fresh
- algorithm: Algorithm allowed to encode the token
- headers: Valid dict for specifying additional headers in JWT header section
- expires_time: Set the duration of the JWT
- audience: Expected audience in the JWT
- user_claims: Custom claims to include in this token. This data must be dictionary
- Returns: An encoded access token
- Parameters:
- create_refresh_token(subject, algorithm=None, headers=None, expires_time=None, audience=None, user_claims={})
-
Creates a new refresh token.
- Parameters:
- subject: Identifier for who this token is for example id or username from database
- algorithm: Algorithm allowed to encode the token
- headers: Valid dict for specifying additional headers in JWT header section
- expires_time: Set the duration of the JWT
- audience: Expected audience in the JWT
- user_claims: Custom claims to include in this token. This data must be dictionary
- Returns: An encoded refresh token
- Parameters:
- set_access_cookies(encoded_access_token, response=None, max_age=None)
-
Configures the response to set access token in a cookie. This will also set the CSRF double submit values in a separate cookie.
- Parameters:
- encoded_access_token: The encoded access token to set in the cookies
- response: The FastAPI response object to set the access cookies in
- max_age: The max age of the cookie value should be
integer
the number of seconds
- Returns: None
- Parameters:
- set_refresh_cookies(encoded_refresh_token, response=None, max_age=None)
-
Configures the response to set refresh token in a cookie. This will also set the CSRF double submit values in a separate cookie.
- Parameters:
- encoded_refresh_token: The encoded refresh token to set in the cookies
- response: The FastAPI response object to set the refresh cookies in
- max_age: The max age of the cookie value should be
integer
the number of seconds
- Returns: None
- Parameters:
- unset_jwt_cookies(response=None)
-
Unset (delete) all jwt stored in a cookies.
- Parameters:
- response: The FastAPI response object to delete the JWT cookies in
- Returns: None
- Parameters:
- unset_access_cookies(response=None)
-
Remove access token and access CSRF double submit from the response cookies.
- Parameters:
- response: The FastAPI response object to delete the access cookies in
- Returns: None
- Parameters:
- unset_refresh_cookies(response=None)
-
Remove refresh token and refresh CSRF double submit from the response cookies.
- Parameters:
- response: The FastAPI response object to delete the refresh cookies in
- Returns: None
- Parameters:
- get_raw_jwt(encoded_token=None)
-
This will return the python dictionary which has all of the claims of the JWT that is accessing the endpoint. If no JWT is currently present, return
None
instead.- Parameters:
- encoded_token: The encoded JWT from parameter
- Returns: Claims of JWT
- Parameters:
- get_jti(encoded_token)
-
Returns the JTI (unique identifier) of an encoded JWT
- Parameters:
- encoded_token: The encoded JWT from parameter
- Returns: String of JTI
- Parameters:
- get_jwt_subject()
- This will return the subject of the JWT that is accessing the endpoint.
If no JWT is present,
None
is returned instead. - get_unverified_jwt_headers(encoded_token=None)
-
Returns the Headers of an encoded JWT without verifying the actual signature of JWT.
- Parameters:
- encoded_token: The encoded JWT to get the Header from protected endpoint or from parameter
- Returns: JWT header parameters as a dictionary
- Parameters: