Changing Default Behaviors¶

We provide what we think are sensible behaviors when attempting to access a protected endpoint. If the access token is not valid for any reason (missing, expired, tampered with, etc) we will return json in the format of {‘msg’: ‘why accessing endpoint failed’} along with an appropriate http status code (generally 401 or 422). However, you may want to customize what you returned in these situations. We can do that with the jwt_manager _loader functions.

from flask import Flask, jsonify, request
from flask_jwt_extended import JWTManager, jwt_required, create_access_token

app = Flask(__name__)
app.secret_key = 'super-secret'  # Change this!
jwt = JWTManager(app)


# Use the expired_token_loader to call this function whenever an expired but
# otherwise valid access token tries to access an endpoint
@jwt.expired_token_loader
def my_expired_token_callback():
    return jsonify({
        'status': 401,
        'sub_status': 101,
        'msg': 'The token has expired'
    }), 200


@app.route('/login', methods=['POST'])
def login():
    username = request.json.get('username', None)
    password = request.json.get('password', None)
    if username != 'test' and password != 'test':
        return jsonify({"msg": "Bad username or password"}), 401

    ret = {'access_token': create_access_token(username)}
    return jsonify(ret), 200


@app.route('/protected', methods=['GET'])
@jwt_required
def protected():
    return jsonify({'hello': 'world'}), 200

if __name__ == '__main__':
    app.run()

Loader functions are:¶

class flask_jwt_extended.jwt_manager.JWTManager(app=None)[source]¶

expired_token_loader(callback)[source]¶

Sets the callback method to be called if an expired JWT is received

The default implementation will return json ‘{“msg”: “Token has expired”}’ with a 401 status code.

Callback must be a function that takes zero arguments.

init_app(app)[source]¶: Register this extension with the flask app

invalid_token_loader(callback)[source]¶

Sets the callback method to be called if an invalid JWT is received.

The default implementation will return json ‘{“msg”: <err>}’ with a 401 status code.

Callback must be a function that takes only one argument, which is the error message of why the token is invalid.

needs_fresh_token_loader(callback)[source]¶

Sets the callback method to be called if a valid and non-fresh token attempts to access an endpoint protected with @fresh_jwt_required.

The default implementation will return json ‘{“msg”: “Fresh token required”}’ with a 401 status code.

Callback must be a function that takes no arguments.

revoked_token_loader(callback)[source]¶

Sets the callback method to be called if a blacklisted (revoked) token attempt to access a protected endpoint

The default implementation will return json ‘{“msg”: “Token has been revoked”}’ with a 401 status code.

Callback must be a function that takes no arguments.

unauthorized_loader(callback)[source]¶

Sets the callback method to be called if an invalid JWT is received

The default implementation will return ‘{“msg”: “Missing Authorization Header”}’ json with a 401 status code.

Callback must be a function that takes only one argument, which is the error message of why the token is invalid.

user_claims_loader(callback)[source]¶

This sets the callback method for adding custom user claims to a JWT.

By default, no extra user claims will be added to the JWT.

Callback must be a function that takes only one argument, which is the identity of the JWT being created.