# 1. Introduction to JSON Web Token (JWT)

- JWT is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object.
- Commonly used for authentication and authorization.

**A typical JWT has three parts:**
- **Header**: contains metadata and the signing algorithm.
- **Payload**: contains claims (user data).
- **Signature**: verifies authenticity.

✅ JWTs are **stateless**: once issued, the server doesn't need to store sessions.

# 2. Introduction to Simple JWT

- Simple JWT is a third-party package for Django REST Framework.
- Provides JWT authentication support.

**It generates two token types:**
- **Access Token**: Short-lived, for authentication.
- **Refresh Token**: Long-lived, used to obtain new access tokens without login.

🔒 Ideal for stateless API authentication.

# 3. How to Install and Configure Simple JWT

### Install:
```bash
pip install djangorestframework-simplejwt
```

### Update `settings.py`:
```python
REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_simplejwt.authentication.JWTAuthentication',
    ),
}
```

### Add JWT views to `urls.py`:
```python
from rest_framework_simplejwt.views import (
    TokenObtainPairView,
    TokenRefreshView,
    TokenVerifyView,
)

urlpatterns = [
    path('gettoken/', TokenObtainPairView.as_view(), name='token_obtain_pair'),
    path('refreshtoken/', TokenRefreshView.as_view(), name='token_refresh'),
    path('verifytoken/', TokenVerifyView.as_view(), name='token_verify'),
]
```

# 4. JWT Default Settings

By default:
- `ACCESS_TOKEN_LIFETIME`: 5 minutes
- `REFRESH_TOKEN_LIFETIME`: 1 day

### Customize in `settings.py`:
```python
from datetime import timedelta

SIMPLE_JWT = {
    'ACCESS_TOKEN_LIFETIME': timedelta(minutes=10),
    'REFRESH_TOKEN_LIFETIME': timedelta(days=1),
    'ROTATE_REFRESH_TOKENS': False,
    'BLACKLIST_AFTER_ROTATION': True,
}
```

# 5. ACCESS_TOKEN_LIFETIME and REFRESH_TOKEN_LIFETIME

- `ACCESS_TOKEN_LIFETIME`: Duration for authenticating API requests. **Keep short** for better security.
- `REFRESH_TOKEN_LIFETIME`: Duration during which new access tokens can be issued **without re-authentication**.

# 6. How to Use Simple JWT

1. Add `JWTAuthentication` in `DEFAULT_AUTHENTICATION_CLASSES`.
2. Use `TokenObtainPairView` to get tokens.
3. Send **access token** in `Authorization` header:

```
Authorization: Bearer <access_token>
```

# 7. How to Get Token

### Make POST request to `/gettoken/`:
```http
POST /gettoken/
{
    "username": "yourusername",
    "password": "yourpassword"
}
```

### Response:
```json
{
    "refresh": "your-refresh-token",
    "access": "your-access-token"
}
```

# 8. How to Verify Token

### POST request to `/verifytoken/`:
```http
POST /verifytoken/
{
    "token": "your-access-token"
}
```

- If valid → **200 OK**
- If invalid/expired → **Error response**

# 9. How to Refresh Token

### POST request to `/refreshtoken/`:
```http
POST /refreshtoken/
{
    "refresh": "your-refresh-token"
}
```

➡️ You’ll receive a **new access token** in the response.

# 10. Permission Classes

JWT handles **authentication**, and for **authorization** you use permission classes like:
- `IsAuthenticated`
- `IsAdminUser`
- `IsAuthenticatedOrReadOnly`
- `DjangoModelPermissions`

### In your views:
```python
from rest_framework.permissions import IsAuthenticated

class MyView(APIView):
    permission_classes = [IsAuthenticated]
```
✅ This ensures **only authenticated users with a valid JWT** can access the view.