Python and JWT: A Comprehensive Guide to Secure Sessions

Python and JWT: A Comprehensive Guide to Secure Sessions
Photo by David Nitschke / Unsplash

Welcome to a deep dive into an essential tool that's reshaping how we handle secure sessions online - the JSON Web Token (JWT). When teamed up with Python, JWTs serve as a robust and secure mechanism for data exchange.πŸ”„

In this article, we're going to investigate the crucial role of JWTs within Python, dissect their structure, and learn to utilize them effectively for establishing secure web sessions.πŸ”

This guide is designed for Python pros and newbies alike, aiming to help you master the use of JWTs with Python. So, get ready for an adventure πŸš€ into the thrilling realm of web security, leveraging Python and JWTs to safeguard our online interactions.

Introduction to JWT

When it comes to web security, there's a powerful tool making waves - the JSON Web Token. JWTs are compact, self-contained tokens designed for securely transmitting information between parties. These tokens can be signed with a secret using HMAC (Hash-based Message Authentication Code) which uses a secret key for message authentication, or with a public/private key pair like RSA (Rivest-Shamir-Adleman) or ECDSA (Elliptic Curve Digital Signature Algorithm), both cryptographic algorithms used for secure data transmission.πŸ”

In HMAC, both the sender and the receiver share a secret key, which is used to verify the integrity and authenticity of the message. On the other hand, RSA and ECDSA use two mathematically linked keys - one private, and one public. The private key signs the token, and the corresponding public key verifies the signature.

As compact tokens, JWTs encapsulate a JSON payload with claims or statements about an entity, providing an efficient and secure mechanism to verify identity and share resources.

The Role of JWTs in Secure Sessions

In the digital realm where security is paramount, JWTs play a pivotal role 🌐. At their core, JWTs are about establishing trust – they're cryptographic tokens that validate the identity of users, creating a secure environment for data exchange. In the context of secure sessions, JWTs act like digital passports πŸ›‚, carrying verified user information and permissions between the client and the server.

The value of a JWT lies in its compact, self-contained nature – each token is a small package πŸ“¦ of data, yet it carries a significant amount of information. This information, in the form of claims, can include user details, authentication data, and other pertinent information. Once a user is authenticated, a JWT is generated and sent back to the client. For all subsequent requests, the client includes this JWT, allowing the server to validate the user's identity and provide access to resources.

The beauty of JWTs is their versatility. They work seamlessly across different domains, platforms, and devices πŸ“±πŸ’», allowing for secure sessions in diverse environments. In the following sections, we'll learn more about the inner workings of JWTs and how to use them effectively in Python for secure web sessions.

JWT Structure and Functionality

JWTs bring a methodical and effective approach to maintaining secure sessions πŸ›‘οΈ. To understand how they do this, it's essential to comprehend their structure and functionality. A JWT consists of three distinct parts: the Header, the Payload, and the Signature, each playing a vital role in ensuring the token's integrity and authenticity.

Header: The JWT header typically includes two parts: the type of the token (JWT in this case) and the signing algorithm being used (like HMAC, RSA, or ECDSA). This information is then Base64Url encoded to form the first part of the JWT. For example, a header might look like this:

  "alg": "HS256",
  "typ": "JWT"

Payload: The payload contains the 'claims' or statements about an entity. These claims can be user details, roles, permissions, or any other information that can be encoded into a JSON object. Like the header, the payload is also Base64Url encoded. Here's an example of a payload:

  "sub": "1234567890",
  "name": "Satoshi Nakamoto",
  "admin": true

Signature: The signature is what verifies the JWT has remained untampered with during transmission. It's crafted by taking the encoded header, the encoded payload, and a secret, then applying the algorithm outlined in the header. This signature verifies the message's authenticity and integrity.

Combine these three parts with dot separators, and voila, you have a JWT! However, do bear in mind that while JWTs transport data compactly, they're not encrypted, they're Base64Url encoded. Therefore, we need to be cautious when handling sensitive data. πŸ”

As an illustration, here's an encoded JWT:


If you'd like to see this in action, you can encode and decode JWTs using online tools like In the following sections, we'll delve into how to generate and validate JWTs using Python. Let's continue our exploration of JWTs and their role in secure web sessions in Python. πŸ’»

Implementing JWTs with Python

Delving further into our journey with JWTs and Python, let's explore how we can implement JWTs using PyJWT, a Python library which allows you to encode, decode, and verify the signature of JWTs πŸ› οΈ.

To start, you'll need to install PyJWT, which you can do via pip:

pip install PyJWT

Now, let's consider a simple example where we encode and decode a JWT:

import jwt

# Define a secret key
secret_key = "secret"

# Define a payload
payload = {
    "user_id": 123,
    "username": "JohnDoe",
    "admin": True

# Encode a JWT
encoded_jwt = jwt.encode(payload, secret_key, algorithm="HS256")
print(f"Encoded JWT: {encoded_jwt}")

# Output
>>> Encoded JWT: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMjMsInVzZXJuYW1lIjoiSm9obkRvZSIsImFkbWluIjp0cnVlfQ._NU3n4D8l8vrSaqZq2KuEs1lPmKE1zyISbCISWY-HFY

# Decode a JWT
decoded_jwt = jwt.decode(
print(f"Decoded JWT: {decoded_jwt}")

# Output
>>> Decoded JWT: {'user_id': 123, 'username': 'JohnDoe', 'admin': True}

In this code, we first import the jwt module, define a secret key and payload, encode the JWT using the payload and secret key, and then decode it. The result of running this script will be an encoded JWT and the decoded JWT payload.

The jwt.encode() method in this script takes the payload, the secret key, and an algorithm as parameters, returning an encoded JWT. Conversely, jwt.decode() takes the encoded JWT, the secret key, and the algorithms as parameters, validating the JWT's signature and returning the decoded payload.

Remember, handling JWTs requires careful attention to security, particularly when handling the secret key and sensitive data in the payload. It's a best practice to store the secret key in a secure and accessible environment for your application πŸ”. This might be an environment variable or a secret chamber.

In the upcoming sections, we'll take a look at how to effectively manage JWTs for secure sessions in Python web applications. Let's continue to unlock the power of Python and JWTs for web security! πŸ’»

FastAPI and JWTs Code Example Explained

In this FastAPI example, we're building a simple web application with two endpoints: /login for user authentication and /secure-endpoint for accessing a secure resource.


We start by installing FastAPI, Uvicorn (ASGI server to run FastAPI), Pydantic (for data validation), and PyJWT (to work with JWTs).

pip install fastapi uvicorn pydantic pyjwt

Code Structure:

Here is an annotated breakdown of the code:

from fastapi import FastAPI, Depends, HTTPException, Security
from import HTTPBearer, HTTPAuthorizationCredentials
import jwt

SECRET_KEY = "super-secret-key"  # Use a secure key in production
app = FastAPI()

security = HTTPBearer()
  • We import necessary modules and classes.
  • We define a SECRET_KEY. This key should be kept secret in production. It’s used to encode and decode JWTs.
  • We initialize FastAPI by creating an instance of FastAPI().
  • We create an instance (security) of HTTPBearer to handle Bearer token authentication. It expects the client to send a token in the Authorization header with the Bearer scheme, like Authorization: Bearer YOUR_TOKEN.
def get_current_user(authorization: HTTPAuthorizationCredentials = Depends(security)):
    token = authorization.credentials
        payload = jwt.decode(token, SECRET_KEY, algorithms=["HS256"])
        return payload
    except jwt.PyJWTError:
        raise HTTPException(status_code=403, detail="Invalid authorization code")
  • We define a function get_current_user that attempts to decode the JWT sent by the user. If the decoding fails (e.g., because the token is expired or tampered with), an HTTP exception is raised."/login")
def login(username: str, password: str):
    # Dummy check for username and password (use proper authentication in production)
    if username == "test" and password == "password":
        token = jwt.encode({"username": username}, SECRET_KEY, algorithm="HS256")
        return {"access_token": token}
    return {"message": "Invalid credentials"}
  • We create a /login endpoint which expects a username and password in the request body. For this example, we're using hardcoded credentials, but in production, you should verify the credentials against a database.
  • If the credentials are correct, a JWT is generated and returned in the response as access_token.
@app.get("/secure-endpoint", dependencies=[Depends(get_current_user)])
def secure_endpoint():
    return {"message": "You've accessed a secure endpoint!"}
  • We create a /secure-endpoint which requires a valid JWT to be accessed. It uses the get_current_user function to check for a valid JWT in the Authorization header.

Making Requests to the API:

  • To test the /login endpoint, make a POST request with JSON data containing the username and password. For example, using curl:
curl -X POST "http://localhost:8000/login" -H "Content-Type: application/json" -d '{"username": "test", "password": "password"}'
  • To test the /secure-endpoint, you need to include the JWT in the Authorization header:
curl -X GET "http://localhost:8000/secure-endpoint" -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Code example summary:

As you can see FastAPI simplifies integrating JWTs through its intuitive security utilities like HTTPBearer. The dependency injection system allows for modular and reusable token verification. It's clear syntax and well-documented features streamline the authentication process. Leveraging FastAPI with JWTs offers a highly efficient and secure method for handling user sessions, letting developers focus on what matters. 🎯


In this article, we embarked on an insightful journey through JSON Web Tokens (JWTs) and their synergy with Python, especially using FastAPI. JWTs are compact tokens composed of a header, payload, and signature, ensuring secure information exchange.

FastAPI, a modern and high-performance web framework for Python, significantly simplifies JWT implementation. With utilities like HTTPBearer and a versatile dependency injection system make authentication setup more accessible and efficient. Additionally, its asynchronous nature boosts application performance.

We explored a practical example showcasing user authentication with JWTs in a FastAPI application. This demonstrated the essence of token generation, verification, and endpoint protection.

As a closing note, it is vital to stay vigilant regarding security. Opt for robust secret keys, be mindful of payload content, and employ security headers. JWTs and FastAPI together offer a powerful toolkit for constructing secure and scalable web applications. Keep these insights in mind for your future projects. Happy coding!


  • JWTs are compact, URL-safe tokens that securely represent claims between two parties.
  • They consist of three parts: header, payload (claims), and signature.
  • In Python, you can work with JWTs using libraries like PyJWT.
  • FastAPI provides excellent support for implementing JWT-based authentication with utilities like HTTPBearer.
  • Integrating JWTs in FastAPI is simplified due to its intuitive syntax, dependency injection, and extensive documentation.
  • Together, FastAPI and JWTs create a powerful combo for building secure and scalable web applications.

Don't miss out on more insights like these! πŸŽ‰ Hit that subscribe button for my newsletter, and stay in the loop with each enlightening new post. Elevate your skills and stay ahead of the curve with timely updates delivered straight to your inbox!

Maciej MarzΔ™ta

Maciej MarzΔ™ta

Founder of MarzTech. Python Technical Leader at unicorn startup. Crypto enthusiast and programmer for life.
Cracow, Poland