{"id":7183,"library":"djangorestframework-jwt","title":"JSON Web Token for Django REST Framework","description":"djangorestframework-jwt provides JSON Web Token (JWT) based authentication for Django REST Framework. While historically popular, the library is largely unmaintained with its last release (1.11.0) in October 2017. Users are generally recommended to migrate to more actively maintained alternatives like `drf-simplejwt` for current Django and DRF versions, as this library lacks recent security updates and compatibility testing with newer Django/DRF releases.","status":"maintenance","version":"1.11.0","language":"en","source_language":"en","source_url":"https://github.com/GetBlimp/django-rest-framework-jwt","tags":["django","drf","jwt","authentication","security"],"install":[{"cmd":"pip install djangorestframework-jwt","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"Core dependency for integration with Django REST Framework.","package":"djangorestframework"},{"reason":"Handles the encoding and decoding of JSON Web Tokens.","package":"PyJWT"}],"imports":[{"symbol":"JSONWebTokenAuthentication","correct":"from rest_framework_jwt.authentication import JSONWebTokenAuthentication"},{"symbol":"obtain_jwt_token","correct":"from rest_framework_jwt.views import obtain_jwt_token"},{"symbol":"refresh_jwt_token","correct":"from rest_framework_jwt.views import refresh_jwt_token"},{"symbol":"verify_jwt_token","correct":"from rest_framework_jwt.views import verify_jwt_token"}],"quickstart":{"code":"import os\nimport datetime\n\n# settings.py\nINSTALLED_APPS = [\n    # ... other apps\n    'rest_framework',\n    'rest_framework_jwt',\n]\n\nREST_FRAMEWORK = {\n    'DEFAULT_AUTHENTICATION_CLASSES': (\n        'rest_framework_jwt.authentication.JSONWebTokenAuthentication',\n        # 'rest_framework.authentication.SessionAuthentication', # Optional\n        # 'rest_framework.authentication.BasicAuthentication', # Optional\n    ),\n}\n\nJWT_AUTH = {\n    'JWT_RESPONSE_PAYLOAD_HANDLER': 'your_project_name.utils.jwt_response_payload_handler', # Customize response data\n    'JWT_SECRET_KEY': os.environ.get('DJANGO_SECRET_KEY', 'insecure-dev-secret-key'), # IMPORTANT: Use a strong, unique key from env var in production\n    'JWT_ALLOW_REFRESH': True,\n    'JWT_EXPIRATION_DELTA': datetime.timedelta(seconds=3600), # Token valid for 1 hour\n    'JWT_REFRESH_EXPIRATION_DELTA': datetime.timedelta(days=7), # Refresh token valid for 7 days\n    # ... other settings\n}\n\n# your_project_name/urls.py\nfrom django.urls import path\nfrom rest_framework_jwt.views import obtain_jwt_token, refresh_jwt_token, verify_jwt_token\n\nurlpatterns = [\n    # ... your other urls\n    path('api/token/', obtain_jwt_token, name='api_token_auth'),\n    path('api/token/refresh/', refresh_jwt_token, name='api_token_refresh'),\n    path('api/token/verify/', verify_jwt_token, name='api_token_verify'),\n]","lang":"python","description":"Configure `settings.py` by adding `rest_framework_jwt` to `INSTALLED_APPS`, setting `DEFAULT_AUTHENTICATION_CLASSES` for DRF, and defining `JWT_AUTH` settings, especially `JWT_SECRET_KEY`. Then, add the token authentication URLs to your project's `urls.py`."},"warnings":[{"fix":"Evaluate migrating to `drf-simplejwt` for better long-term support and security.","message":"This library is largely unmaintained since its last release in 2017. It may lack security updates and compatibility with recent Django and Django REST Framework versions. For new projects or migrations, consider using `drf-simplejwt` or other actively maintained alternatives.","severity":"gotcha","affected_versions":"1.11.0 and prior"},{"fix":"Ensure your project uses Django >= 1.8 and Django REST Framework >= 3.x for compatibility. For newer Django/DRF, consider alternatives like `drf-simplejwt`.","message":"Official support for Django REST Framework 2.x and older Django versions (pre-1.8) was dropped in version 1.8.0. Using `djangorestframework-jwt` with unsupported versions may lead to unexpected errors or vulnerabilities.","severity":"breaking","affected_versions":">=1.8.0"},{"fix":"Always retrieve `JWT_SECRET_KEY` from a secure source like environment variables (`os.environ.get('YOUR_SECRET_KEY')`) or a secrets management service in production environments. Never commit it directly to source control.","message":"Using a static or easily discoverable `JWT_SECRET_KEY` directly in `settings.py` is a severe security vulnerability. This key is used to sign and verify JWTs, and its compromise allows attackers to forge tokens.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Upgrade `djangorestframework-jwt` to version 1.5.0 or higher to ensure compatibility with newer PyJWT versions and proper token expiration handling.","message":"The `verify_expiration` argument for PyJWT's `decode` function was removed in PyJWT 1.0.0. `djangorestframework-jwt` version 1.5.0 and later fixed this incompatibility, but older versions might fail if using PyJWT >= 1.0.0.","severity":"breaking","affected_versions":"<1.5.0"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"Run `pip install djangorestframework-jwt` and ensure `'rest_framework_jwt'` is included in your `INSTALLED_APPS` list in `settings.py`.","cause":"The `djangorestframework-jwt` library is either not installed or not correctly added to your Django project's `INSTALLED_APPS`.","error":"ModuleNotFoundError: No module named 'rest_framework_jwt'"},{"fix":"Obtain a new token by re-authenticating or using the refresh token endpoint (`api/token/refresh/`) if refresh tokens are enabled and valid. You can adjust `JWT_EXPIRATION_DELTA` and `JWT_REFRESH_EXPIRATION_DELTA` in `settings.py` to change token lifetimes.","cause":"The provided JSON Web Token has exceeded its `JWT_EXPIRATION_DELTA` and is no longer considered valid.","error":"rest_framework_jwt.exceptions.InvalidTokenError: Signature has expired."},{"fix":"Review your `JWT_AUTH` dictionary in `settings.py`. Ensure all mandatory keys (like `JWT_SECRET_KEY`) are present and correctly formatted according to the `djangorestframework-jwt` documentation.","cause":"Essential settings for `JWT_AUTH`, such as `JWT_SECRET_KEY`, are missing or incorrectly defined in your `settings.py`.","error":"django.core.exceptions.ImproperlyConfigured: JWT_AUTH setting is missing or improperly configured."},{"fix":"Verify that the `JWT_SECRET_KEY` in your `settings.py` exactly matches the key used to encode the token. If running multiple services, ensure they share the same secret key. Obtain a new token to rule out token corruption.","cause":"The JWT signature could not be verified, likely due to an incorrect `JWT_SECRET_KEY` being used for decoding, or a tampered/corrupted token.","error":"rest_framework.exceptions.AuthenticationFailed: Signature verification failed."}]}