{"id":1482,"library":"flask-jwt-extended","title":"Flask-JWT-Extended","description":"Flask-JWT-Extended is a Python library that provides extended JWT (JSON Web Token) integration for Flask applications. It simplifies the process of adding JWT-based authentication to your API, handling token creation, authorization, and common features like fresh tokens, blocklists, and token refreshing. The current version is 4.7.1, and it maintains a steady release cadence with active development and regular updates to support new Python and Flask versions.","status":"active","version":"4.7.1","language":"en","source_language":"en","source_url":"https://github.com/vimalloc/flask-jwt-extended","tags":["Flask","JWT","Authentication","Security","Web Development","API"],"install":[{"cmd":"pip install Flask-JWT-Extended","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"Core web framework integration.","package":"Flask","optional":false},{"reason":"Handles the underlying JWT encoding and decoding.","package":"PyJWT","optional":false},{"reason":"Provides cryptographic primitives for PyJWT's algorithms.","package":"cryptography","optional":false}],"imports":[{"symbol":"JWTManager","correct":"from flask_jwt_extended import JWTManager"},{"symbol":"jwt_required","correct":"from flask_jwt_extended import jwt_required"},{"symbol":"create_access_token","correct":"from flask_jwt_extended import create_access_token"},{"symbol":"get_jwt_identity","correct":"from flask_jwt_extended import get_jwt_identity"}],"quickstart":{"code":"import os\nfrom flask import Flask, jsonify, request\nfrom flask_jwt_extended import create_access_token, jwt_required, JWTManager, get_jwt_identity\n\napp = Flask(__name__)\n# Set a secret key for JWT signing. For production, use a strong, unique key.\napp.config[\"JWT_SECRET_KEY\"] = os.environ.get(\"FLASK_JWT_SECRET_KEY\", \"super-secret-dev-key\")\n\n# Initialize the Flask-JWT-Extended extension\njwt = JWTManager(app)\n\n# A simple login route to get an access token\n@app.route(\"/login\", methods=[\"POST\"])\ndef login():\n username = request.json.get(\"username\", None)\n password = request.json.get(\"password\", None)\n\n # In a real application, you'd verify these credentials against a database\n if username != \"testuser\" or password != \"testpass\":\n return jsonify({\"msg\": \"Bad username or password\"}), 401\n\n access_token = create_access_token(identity=username)\n return jsonify(access_token=access_token)\n\n# A protected route that requires a valid JWT access token\n@app.route(\"/protected\", methods=[\"GET\"])\n@jwt_required()\ndef protected():\n # Access the identity of the current user with get_jwt_identity\n current_user = get_jwt_identity()\n return jsonify(logged_in_as=current_user), 200\n\nif __name__ == \"__main__\":\n # To run:\n # 1. Set FLASK_JWT_SECRET_KEY environment variable (or it will use 'super-secret-dev-key')\n # e.g., export FLASK_JWT_SECRET_KEY=\"your-strong-secret\"\n # 2. Run this script: python your_app.py\n # 3. Test with curl:\n # curl -X POST -H \"Content-Type: application/json\" -d '{\"username\":\"testuser\", \"password\":\"testpass\"}' http://127.0.0.1:5000/login\n # (Copy the access_token from the response)\n # curl -H \"Authorization: Bearer \" http://127.0.0.1:5000/protected\n app.run(debug=True)","lang":"python","description":"This quickstart demonstrates how to initialize Flask-JWT-Extended, create a login endpoint to issue an access token, and protect another endpoint using the `@jwt_required()` decorator. It shows how to retrieve the identity of the authenticated user within a protected route. Remember to set the `FLASK_JWT_SECRET_KEY` environment variable for production environments."},"warnings":[{"fix":"Upgrade your Python version to 3.9 or newer. If not possible, pin `Flask-JWT-Extended<4.7.0`.","message":"Python 3.7 and 3.8 support was dropped in Flask-JWT-Extended 4.7.0. If you are on these Python versions, you must upgrade your Python environment or use a version of Flask-JWT-Extended older than 4.7.0.","severity":"breaking","affected_versions":">=4.7.0"},{"fix":"Upgrade `Flask-JWT-Extended` to version 4.5.3 or newer if using Flask 3.x. Pin `Flask-JWT-Extended<4.5.3` if using Flask <3.0.","message":"Flask 3.0 compatibility was introduced in Flask-JWT-Extended 4.5.3. Applications using Flask 3.x must ensure they are using `flask-jwt-extended>=4.5.3` to avoid compatibility issues.","severity":"breaking","affected_versions":"<4.5.3"},{"fix":"Consult the official migration guide for detailed steps. Be prepared to update token return formats, decorator usage, and configuration settings (e.g., `JWT_SECRET_KEY`).","message":"Migrating from Flask-JWT-Extended v3.x to v4.x involved significant breaking changes, including how tokens are returned (no longer a dict by default), changes to decorators, and more explicit configuration requirements.","severity":"breaking","affected_versions":"3.x to 4.x"},{"fix":"Always set `app.config[\"JWT_SECRET_KEY\"]` explicitly and ensure it is a strong, unique secret key separate from Flask's `SECRET_KEY`.","message":"Flask-JWT-Extended uses `app.config[\"JWT_SECRET_KEY\"]` for signing JWTs, which is distinct from Flask's `app.secret_key` or `app.config[\"SECRET_KEY\"]`. Using Flask's secret key for JWT signing is a common mistake and can lead to unexpected behavior or security vulnerabilities.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure the value passed as `identity` is a unique string representing the user (e.g., user ID, username). If using an object, ensure it can be reliably serialized and deserialized to retrieve the identity later.","message":"The `identity` argument passed to `create_access_token()` (and `create_refresh_token()`) should ideally be a string or a value that can be easily serialized to JSON and uniquely identifies the user. While it may accept other types, the documentation strongly encourages string identities for clarity and consistent behavior.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-09T00:00:00.000Z","next_check":"2026-07-08T00:00:00.000Z"}