{"id":6609,"library":"drf-jwt","title":"Django REST Framework JWT","description":"drf-jwt (officially `djangorestframework-jwt`) provides JSON Web Token (JWT) based authentication for Django REST framework. This particular fork (version 1.19.2, last released January 2022) offers a basic implementation for token generation, refreshing, and verification. While functional, active development for this specific package is limited, with `djangorestframework-simplejwt` being the widely recommended and actively maintained alternative for modern Django/DRF projects.","status":"maintenance","version":"1.19.2","language":"en","source_language":"en","source_url":"https://github.com/Styria-Digital/django-rest-framework-jwt","tags":["django","rest framework","jwt","authentication","security"],"install":[{"cmd":"pip install drf-jwt","lang":"bash","label":"Install stable version"}],"dependencies":[{"reason":"Required for any Django project.","package":"Django","optional":false},{"reason":"Core dependency for Django REST Framework integration.","package":"djangorestframework","optional":false},{"reason":"Used for JWT encoding and decoding. Implicitly installed.","package":"PyJWT","optional":false}],"imports":[{"note":"This is the authentication class for the `djangorestframework-jwt` package. Do not confuse it with `djangorestframework-simplejwt`'s `JWTAuthentication`.","wrong":"from rest_framework_simplejwt.authentication import JWTAuthentication","symbol":"JSONWebTokenAuthentication","correct":"from rest_framework_jwt.authentication import JSONWebTokenAuthentication"},{"note":"This view is used to obtain a JWT token by providing username and password. `simplejwt` uses `TokenObtainPairView`.","wrong":"from rest_framework_simplejwt.views import TokenObtainPairView","symbol":"obtain_jwt_token","correct":"from rest_framework_jwt.views import obtain_jwt_token"},{"note":"This view is used to refresh an existing JWT token. `simplejwt` uses `TokenRefreshView`.","wrong":"from rest_framework_simplejwt.views import TokenRefreshView","symbol":"refresh_jwt_token","correct":"from rest_framework_jwt.views import refresh_jwt_token"},{"note":"This view is used to verify the validity of a JWT token. `simplejwt` uses `TokenVerifyView`.","wrong":"from rest_framework_simplejwt.views import TokenVerifyView","symbol":"verify_jwt_token","correct":"from rest_framework_jwt.views import verify_jwt_token"},{"note":"Custom handler to modify the JWT response payload. Can be overridden in `settings.py`.","symbol":"jwt_response_payload_handler","correct":"from rest_framework_jwt.settings import api_settings"}],"quickstart":{"code":"import os\nfrom datetime import datetime, timedelta\n\n# settings.py\n# Add 'rest_framework' and 'rest_framework_jwt' to INSTALLED_APPS\nINSTALLED_APPS = [\n    # ...\n    'rest_framework',\n    'rest_framework_jwt',\n    # ...\n]\n\nREST_FRAMEWORK = {\n    'DEFAULT_AUTHENTICATION_CLASSES': (\n        'rest_framework_jwt.authentication.JSONWebTokenAuthentication',\n        'rest_framework.authentication.SessionAuthentication',\n        'rest_framework.authentication.BasicAuthentication',\n    ),\n    'DEFAULT_PERMISSION_CLASSES': (\n        'rest_framework.permissions.IsAuthenticated',\n    ),\n}\n\nJWT_AUTH = {\n    'JWT_EXPIRATION_DELTA': timedelta(seconds=int(os.environ.get('JWT_EXPIRATION_SECONDS', 3600))),\n    'JWT_ALLOW_REFRESH': True,\n    'JWT_REFRESH_EXPIRATION_DELTA': timedelta(days=int(os.environ.get('JWT_REFRESH_DAYS', 7))),\n    'JWT_RESPONSE_PAYLOAD_HANDLER': 'your_app.utils.jwt_response_payload_handler',\n    # 'JWT_SECRET_KEY': os.environ.get('DJANGO_SECRET_KEY', 'your_secret_key'), # Uses Django's SECRET_KEY by default\n}\n\n# urls.py\nfrom django.urls import path\nfrom rest_framework_jwt.views import obtain_jwt_token, refresh_jwt_token, verify_jwt_token\n\nurlpatterns = [\n    path('api-token-auth/', obtain_jwt_token),\n    path('api-token-refresh/', refresh_jwt_token),\n    path('api-token-verify/', verify_jwt_token),\n    # ... other app URLs\n]\n\n# Example of a custom payload handler in your_app/utils.py\n# def jwt_response_payload_handler(token, user=None, request=None):\n#     return {\n#         'token': token,\n#         'user': user.username,\n#         'id': user.id\n#     }\n","lang":"python","description":"Configure `INSTALLED_APPS` and `REST_FRAMEWORK` settings. Add JWT-specific settings under `JWT_AUTH` for token expiration and refresh. Finally, include the `obtain_jwt_token`, `refresh_jwt_token`, and `verify_jwt_token` views in your project's `urls.py`."},"warnings":[{"fix":"For actively maintained and modern JWT authentication, consider migrating to `djangorestframework-simplejwt`.","message":"The original `jpadilla/django-rest-framework-jwt` project is officially unmaintained. This `Styria-Digital` fork, while available on PyPI, has not had a release since January 2022, indicating very limited ongoing maintenance.","severity":"deprecated","affected_versions":"<1.19.2"},{"fix":"Ensure your project's environment matches these requirements. If using newer Django/DRF, migration to `djangorestframework-simplejwt` is highly recommended as it supports current versions.","message":"The package requires specific versions of Python, Django, and Django REST Framework. Version 1.19.2 explicitly states Python 2.7, 3.4+, Django 1.11+, and DRF 3.7+.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Deploy your application with HTTPS enabled. Ensure `SECURE_SSL_REDIRECT = True` and appropriate security headers are configured in production.","message":"Security Warning: Always use SSL/TLS (HTTPS) for your API endpoints when using JWT. The token itself only verifies user identity; the request parameters are not signed and can be tampered with in transit if not encrypted.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Implement short-lived access tokens and longer-lived refresh tokens. Consider token rotation and blacklisting for improved security. Follow best practices for client-side token storage (e.g., `HttpOnly` cookies for refresh tokens to mitigate XSS risks).","message":"Token storage on the client-side (e.g., `localStorage` for access tokens, `HttpOnly` cookies for refresh tokens) and proper handling of token expiration, rotation, and blacklisting are crucial security considerations often overlooked.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-15T00:00:00.000Z","next_check":"2026-07-14T00:00:00.000Z","problems":[]}