.. _getting_started: Getting started =============== Requirements ------------ * Python (3.9, 3.10, 3.11, 3.12, 3.13) * Django (4.2, 5.0, 5.1) * Django REST Framework (3.14, 3.15) These are the officially supported python and package versions. Other versions will probably work. You're free to modify the tox config and see what is possible. Installation ------------ Simple JWT can be installed with pip: .. code-block:: console pip install djangorestframework-simplejwt Cryptographic Dependencies (Optional) ------------------------------------- If you are planning on encoding or decoding tokens using certain digital signature algorithms (i.e. RSA and ECDSA; visit PyJWT for other algorithms), you will need to install the cryptography_ library. This can be installed explicitly, or as a required extra in the ``djangorestframework-simplejwt`` requirement: .. code-block:: console pip install djangorestframework-simplejwt[crypto] The ``djangorestframework-simplejwt[crypto]`` format is recommended in requirements files in projects using ``Simple JWT``, as a separate ``cryptography`` requirement line may later be mistaken for an unused requirement and removed. .. _`cryptography`: https://cryptography.io Project Configuration --------------------- Then, your django project must be configured to use the library. In ``settings.py``, add ``rest_framework_simplejwt.authentication.JWTAuthentication`` to the list of authentication classes: .. code-block:: python REST_FRAMEWORK = { ... 'DEFAULT_AUTHENTICATION_CLASSES': ( ... 'rest_framework_simplejwt.authentication.JWTAuthentication', ) ... } Also, in your root ``urls.py`` file (or any other url config), include routes for Simple JWT's ``TokenObtainPairView`` and ``TokenRefreshView`` views: .. code-block:: python from rest_framework_simplejwt.views import ( TokenObtainPairView, TokenRefreshView, ) urlpatterns = [ ... path('api/token/', TokenObtainPairView.as_view(), name='token_obtain_pair'), path('api/token/refresh/', TokenRefreshView.as_view(), name='token_refresh'), ... ] You can also include a route for Simple JWT's ``TokenVerifyView`` if you wish to allow API users to verify HMAC-signed tokens without having access to your signing key: .. code-block:: python from rest_framework_simplejwt.views import TokenVerifyView urlpatterns = [ ... path('api/token/verify/', TokenVerifyView.as_view(), name='token_verify'), ... ] The ``TokenVerifyView`` provides no information about a token's fitness for a particular use, it only verifies if a token is valid or not, and return a 200 or 401 status code respectively. If you wish to use localizations/translations, simply add ``rest_framework_simplejwt`` to ``INSTALLED_APPS``. .. code-block:: python INSTALLED_APPS = [ ... 'rest_framework_simplejwt', ... ] Usage ----- To verify that Simple JWT is working, you can use curl to issue a couple of test requests: .. code-block:: bash curl \ -X POST \ -H "Content-Type: application/json" \ -d '{"username": "davidattenborough", "password": "boatymcboatface"}' \ http://localhost:8000/api/token/ ... { "access":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX3BrIjoxLCJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiY29sZF9zdHVmZiI6IuKYgyIsImV4cCI6MTIzNDU2LCJqdGkiOiJmZDJmOWQ1ZTFhN2M0MmU4OTQ5MzVlMzYyYmNhOGJjYSJ9.NHlztMGER7UADHZJlxNG0WSi22a2KaYSfd1S-AuT7lU", "refresh":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX3BrIjoxLCJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImNvbGRfc3R1ZmYiOiLimIMiLCJleHAiOjIzNDU2NywianRpIjoiZGUxMmY0ZTY3MDY4NDI3ODg5ZjE1YWMyNzcwZGEwNTEifQ.aEoAYkSJjoWH1boshQAaTkf8G3yn0kapko6HFRt7Rh4" } You can use the returned access token to prove authentication for a protected view: .. code-block:: bash curl \ -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX3BrIjoxLCJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiY29sZF9zdHVmZiI6IuKYgyIsImV4cCI6MTIzNDU2LCJqdGkiOiJmZDJmOWQ1ZTFhN2M0MmU4OTQ5MzVlMzYyYmNhOGJjYSJ9.NHlztMGER7UADHZJlxNG0WSi22a2KaYSfd1S-AuT7lU" \ http://localhost:8000/api/some-protected-view/ When this short-lived access token expires, you can use the longer-lived refresh token to obtain another access token: .. code-block:: bash curl \ -X POST \ -H "Content-Type: application/json" \ -d '{"refresh":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX3BrIjoxLCJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImNvbGRfc3R1ZmYiOiLimIMiLCJleHAiOjIzNDU2NywianRpIjoiZGUxMmY0ZTY3MDY4NDI3ODg5ZjE1YWMyNzcwZGEwNTEifQ.aEoAYkSJjoWH1boshQAaTkf8G3yn0kapko6HFRt7Rh4"}' \ http://localhost:8000/api/token/refresh/ ... {"access":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX3BrIjoxLCJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiY29sZF9zdHVmZiI6IuKYgyIsImV4cCI6MTIzNTY3LCJqdGkiOiJjNzE4ZTVkNjgzZWQ0NTQyYTU0NWJkM2VmMGI0ZGQ0ZSJ9.ekxRxgb9OKmHkfy-zs1Ro_xs1eMLXiR17dIDBVxeT-w"}