{"id":6208,"library":"python-jwt","title":"Python JWT","description":"python-jwt is a Python module for generating and verifying JSON Web Tokens (JWTs). It leverages the `cryptography` library for cryptographic operations and provides a straightforward API for encoding and decoding tokens. The current version is 4.1.0, with an intermittent, feature-driven release cadence.","status":"active","version":"4.1.0","language":"en","source_language":"en","source_url":"https://github.com/davedoesdev/python-jwt","tags":["jwt","authentication","security","cryptography"],"install":[{"cmd":"pip install python-jwt","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"Provides the underlying cryptographic primitives for JWT signing and verification. Required since version 2.0.","package":"cryptography"}],"imports":[{"symbol":"encode","correct":"from jwt import encode"},{"symbol":"decode","correct":"from jwt import decode"},{"note":"The common practice is to import directly from `jwt` after installation, not `python_jwt`.","wrong":"from python_jwt import jwt","symbol":"jwt","correct":"import jwt"}],"quickstart":{"code":"import jwt\nimport datetime\n\n# Your secret key for signing the token\nsecret_key = \"your-super-secret-key-that-should-be-kept-safe\"\n\n# Define the token payload with an expiry time\npayload = {\n    'user_id': 123,\n    'username': 'testuser',\n    'exp': datetime.datetime.utcnow() + datetime.timedelta(minutes=30),\n    'iat': datetime.datetime.utcnow()\n}\n\n# Encode the token using HS256 algorithm\ntoken = jwt.encode(payload, secret_key, algorithm='HS256')\nprint(f\"Encoded Token: {token}\")\n\n# Decode the token, specifying the expected algorithm\ntry:\n    decoded_payload = jwt.decode(token, secret_key, algorithms=['HS256'])\n    print(f\"Decoded Payload: {decoded_payload}\")\nexcept jwt.exceptions.ExpiredSignatureError:\n    print(\"Error: Token has expired!\")\nexcept jwt.exceptions.InvalidTokenError as e:\n    print(f\"Error: Invalid Token - {e}\")","lang":"python","description":"This example demonstrates how to encode a JWT with a payload and secret key, and then decode it, including basic error handling for common JWT exceptions. Remember to use a strong, securely stored secret key in production."},"warnings":[{"fix":"Ensure your `cryptography` dependency is updated to `cryptography>=3.0.0`. If using `pip`, `pip install --upgrade python-jwt cryptography` should resolve it.","message":"Version 4.0.0 introduced a hard dependency on `cryptography` version 3.x.x or higher. If you were using an older version of `cryptography`, upgrading `python-jwt` to 4.x will likely require upgrading `cryptography` as well.","severity":"breaking","affected_versions":">=4.0.0"},{"fix":"Always pass `algorithms` as a list: `jwt.decode(token, key, algorithms=['HS256'])`.","message":"The `jwt.decode()` function requires an `algorithms` parameter, which must be a list of allowed algorithms (e.g., `['HS256']`). Passing a single string (e.g., `algorithm='HS256'`) will result in a `TypeError`.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Wrap your `jwt.decode()` calls in `try...except jwt.exceptions.ExpiredSignatureError` and `try...except jwt.exceptions.InvalidTokenError` blocks to gracefully handle invalid or expired tokens.","message":"JWT validation, especially for expiry (`exp`), not-before (`nbf`), audience (`aud`), and issuer (`iss`) claims, is crucial. While `python-jwt` handles these by default if present in the payload and `verify_claims=True` (default), you must handle `ExpiredSignatureError` and `InvalidTokenError` during decoding.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-14T00:00:00.000Z","next_check":"2026-07-13T00:00:00.000Z"}