Skip to content
Quick and simple security for Flask applications
Python HTML
Find file
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Simple security for Flask applications combining Flask-Login, Flask-Principal, Flask-WTF, passlib, and your choice of datastore. Currently SQLAlchemy via Flask-SQLAlchemy and MongoEngine via Flask-MongoEngine are supported out of the box. You will need to install the necessary Flask extensions that you'll be using. Additionally, you may need to install an encryption library such as py-bcrypt to support bcrypt passwords.


Flask-Security does a few things that Flask-Login and Flask-Principal don't provide out of the box. They are:

  1. Setting up login and logout endpoints
  2. Authenticating users based on username or email
  3. Limiting access based on user 'roles'
  4. User and role creation
  5. Password encryption

That being said, you can still hook into things such as the Flask-Login and Flask-Principal signals if need be.

Getting Started

First, install Flask-Security:

$ mkvirtualenv app-name
$ pip install

Then install your datastore requirement.


$ pip install Flask-SQLAlchemy


$ pip install

Beyond this, the best place to get started at the moment is to look at the example application(s) and corresponding tests. The example apps are currently used to test Flask-Security as well so they are solid examples of most, if not all, features. Configuration options are illustrated in the tests as well. To run the example run do the following:

$ mkvirtualenv flask-security
$ git clone git://
$ cd flask-security
$ pip install Flask Flask-Login Flask-Principal Flask-SQLALchemy passlib
$ pip install
$ python example/

Code Examples

If you don't want to checkout the example quite yet, here are some hypothetical examples to give you a sense of how Flask-Security works:

Setup SQLAlchemy

from flask import Flask
from import Security
from import SQLAlchemyDatastore
from flask.ext.sqlalchemy import SQLAlchemy

app = Flask(__name__)
app.config['SECRET_KEY'] = 'something'
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///:memory:'

db = SQLALchemy(app)
Security(app, SQLAlchemyDatastore(db))

Require a logged in user:

from flask import render_template
from import login_required

… application setup …

def profile():
    return render_template('profile.html')

Require an admin:

from flask import render_template
from import roles_required

… application setup …

def admin():
    return render_template('admin/index.html')

Require any of the specified roles:

from flask import render_template
from import roles_accepted

… application setup …

@roles_accepted('admin', 'editor', 'author')
def admin():
    return render_template('admin/index.html')

Showing a link in a template only for an admin:

{% if current_user.has_role('admin') %}
<a href="{{ url_for('admin.index') }}">Admin Panel</a>
{$ endif %}

Flask-Script Commands

Flask-Security comes packed with a few Flask-Script commands. They are:


Register these on your script manager for pure convenience.


Feel free to fork and contribute. If you decided to do so, just be sure to include relevant tests that you feel are necessary. To run the tests, please provide instructions for any requirements. For instance, if you write a new datastore implementation, please provide instructions on how best to setup a connection when testing.

If you plan on running all the provided tests you'll need a local installation of MongoDB running on the standard port 27017 without username/password protection.

Something went wrong with that request. Please try again.