# JWT Authentication Deep Dive

Understand how JWT tokens work and implement them in FastAPI.

## 1. JWT Structure

A JWT token consists of 3 parts separated by dots: header.payload.signature

In [None]:
# Example JWT token
token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEsImlhdCI6MTcwMzAwMDAwMCwiZXhwIjoxNzAzMzYwMDAwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"

# Split into parts
parts = token.split('.')
print(f"JWT has {len(parts)} parts:\n")
print(f"1. Header:    {parts[0][:20]}...")
print(f"2. Payload:   {parts[1][:20]}...")
print(f"3. Signature: {parts[2][:20]}...")
print()

## 2. Decode JWT Parts

Each part is Base64-encoded. Let's decode them.

In [None]:
import base64
import json

# Add padding if needed
def decode_base64(data):
    """Decode Base64URL encoded string."""
    # Add padding
    padding = 4 - len(data) % 4
    data += '=' * padding
    return base64.urlsafe_b64decode(data)

# Decode header
header_decoded = decode_base64(parts[0])
print("1. HEADER (decoded):")
print(json.dumps(json.loads(header_decoded), indent=2))
print()

# Decode payload
payload_decoded = decode_base64(parts[1])
print("2. PAYLOAD (decoded):")
print(json.dumps(json.loads(payload_decoded), indent=2))
print()

print("3. SIGNATURE:")
print(f"  (This is a cryptographic hash - cannot be reversed)")
print()

## 3. Create JWT Tokens with python-jose

Use the python-jose library to create and verify tokens.

In [None]:
from jose import jwt, JWTError
from datetime import datetime, timedelta, timezone
import json

# Configuration
SECRET_KEY = "your-secret-key-keep-it-safe-and-long-at-least-32-characters"
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 30

# Create a token
data = {
    "sub": "1",  # Subject (usually user ID)
    "username": "john_doe",
    "email": "john@example.com",
    "exp": datetime.now(timezone.utc) + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES),
    "iat": datetime.now(timezone.utc),  # Issued at
    "type": "access"  # Token type
}

token = jwt.encode(data, SECRET_KEY, algorithm=ALGORITHM)

print("Created token:")
print(token)
print()
print(f"Token length: {len(token)} characters")
print()

## 4. Verify JWT Tokens

Validate that a token hasn't been tampered with and isn't expired.

In [None]:
# Verify the token
try:
    payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
    print("‚úÖ Token is valid!\n")
    print("Decoded payload:")
    print(json.dumps(payload, indent=2, default=str))
except JWTError as e:
    print(f"‚ùå Token is invalid: {e}")
print()

## 5. Token Tampering Detection

Demonstrate how JWT detects tampering.

In [None]:
# Tamper with the token (change one character in payload)
tampered_token = token[:-5] + "XXXXX"  # Change last 5 characters

print(f"Original token: {token[-20:]}")
print(f"Tampered token: {tampered_token[-20:]}")
print()

try:
    payload = jwt.decode(tampered_token, SECRET_KEY, algorithms=[ALGORITHM])
    print("‚úÖ Token is valid")
except JWTError as e:
    print(f"‚ùå Token rejected! {e}")
    print("\nTampering detected! The signature doesn't match.")
print()

## 6. Token Expiration

Show how tokens expire and need to be refreshed.

In [None]:
# Create an already-expired token
expired_data = {
    "sub": "1",
    "username": "john_doe",
    "exp": datetime.now(timezone.utc) - timedelta(minutes=5),  # Expired 5 minutes ago
    "type": "access"
}

expired_token = jwt.encode(expired_data, SECRET_KEY, algorithm=ALGORITHM)

print("Attempting to use an expired token...")
try:
    payload = jwt.decode(expired_token, SECRET_KEY, algorithms=[ALGORITHM])
    print("‚úÖ Token is valid")
except JWTError as e:
    print(f"‚ùå Token rejected! {e}")
    print("\nThe token has expired and must be refreshed.")
print()

## 7. Access & Refresh Tokens

Implement the 2-token pattern for better security.

In [None]:
def create_tokens(user_id: str, username: str):
    """Create both access and refresh tokens."""
    
    # ACCESS TOKEN - Short expiry (30 minutes)
    access_data = {
        "sub": user_id,
        "username": username,
        "type": "access",
        "exp": datetime.now(timezone.utc) + timedelta(minutes=30),
        "iat": datetime.now(timezone.utc)
    }
    access_token = jwt.encode(access_data, SECRET_KEY, algorithm=ALGORITHM)
    
    # REFRESH TOKEN - Long expiry (7 days)
    refresh_data = {
        "sub": user_id,
        "type": "refresh",
        "exp": datetime.now(timezone.utc) + timedelta(days=7),
        "iat": datetime.now(timezone.utc)
    }
    refresh_token = jwt.encode(refresh_data, SECRET_KEY, algorithm=ALGORITHM)
    
    return {
        "access_token": access_token,
        "refresh_token": refresh_token,
        "token_type": "bearer"
    }

# Create tokens for a user
tokens = create_tokens("123", "john_doe")
print("Created token pair:\n")
print(f"Access token (30 min):  {tokens['access_token'][:50]}...")
print(f"Refresh token (7 days): {tokens['refresh_token'][:50]}...")
print()

## 8. Validating Token Type

Ensure we're using the right token for the right purpose.

In [None]:
def verify_access_token(token: str) -> dict:
    """Verify token is a valid access token."""
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        
        # Check token type
        if payload.get("type") != "access":
            raise JWTError("Invalid token type - expected 'access'")
        
        return payload
    except JWTError as e:
        raise JWTError(f"Invalid token: {e}")

# Verify access token
access_token = tokens["access_token"]
print("Verifying access token...")
try:
    payload = verify_access_token(access_token)
    print("‚úÖ Valid access token")
    print(f"   User: {payload.get('username')}")
    print(f"   ID: {payload.get('sub')}")
except JWTError as e:
    print(f"‚ùå {e}")
print()

# Try to use refresh token as access token
refresh_token = tokens["refresh_token"]
print("Trying to use refresh token as access token...")
try:
    payload = verify_access_token(refresh_token)
    print("‚úÖ Valid")
except JWTError as e:
    print(f"‚ùå {e}")
print()

## 9. Token Refresh Flow

How to use a refresh token to get a new access token.

In [None]:
def refresh_access_token(refresh_token: str) -> dict:
    """Use refresh token to get new access token."""
    try:
        # Decode refresh token
        payload = jwt.decode(refresh_token, SECRET_KEY, algorithms=[ALGORITHM])
        
        # Verify it's a refresh token
        if payload.get("type") != "refresh":
            raise JWTError("Invalid token type - expected 'refresh'")
        
        # Create new access token
        user_id = payload.get("sub")
        new_access_data = {
            "sub": user_id,
            "type": "access",
            "exp": datetime.now(timezone.utc) + timedelta(minutes=30),
            "iat": datetime.now(timezone.utc)
        }
        new_access_token = jwt.encode(new_access_data, SECRET_KEY, algorithm=ALGORITHM)
        
        return {
            "access_token": new_access_token,
            "token_type": "bearer"
        }
    except JWTError as e:
        raise JWTError(f"Cannot refresh token: {e}")

print("User's access token expires...")
print(f"Old access token: {tokens['access_token'][:50]}...\n")

print("User sends refresh token to /api/v1/auth/refresh...\n")
new_tokens = refresh_access_token(tokens["refresh_token"])
print(f"New access token: {new_tokens['access_token'][:50]}...")
print("‚úÖ User can now continue using the API!")
print()

## 10. Real-World JWT Flow in FastAPI

See how JWT integrates with FastAPI authentication.

In [None]:
# Simulating the flow without running FastAPI

print("=" * 60)
print("JWT AUTHENTICATION FLOW IN FASTAPI")
print("=" * 60)
print()

print("1Ô∏è‚É£  USER REGISTRATION")
print("-" * 60)
print("POST /api/v1/auth/register")
print('{"email": "user@example.com", "password": "secret"}\n')
print("‚Üí Password hashed with bcrypt")
print("‚Üí User stored in database")
print("‚Üí Response: {\"id\": 1, \"email\": \"user@example.com\"}")
print()

print("2Ô∏è‚É£  USER LOGIN")
print("-" * 60)
print("POST /api/v1/auth/login")
print('{"username": "user@example.com", "password": "secret"}\n')
print("‚Üí Password verified against hash")
print("‚Üí Access & refresh tokens created")
print("‚Üí Response:")
response = {
    "access_token": "eyJhbGc...",
    "refresh_token": "eyJhbGc...",
    "token_type": "bearer"
}
print(json.dumps(response, indent=2))
print()

print("3Ô∏è‚É£  API REQUEST WITH TOKEN")
print("-" * 60)
print("GET /api/v1/auth/me")
print("Header: Authorization: Bearer eyJhbGc...\n")
print("‚Üí Token decoded and verified")
print("‚Üí User loaded from database")
print("‚Üí Check if user.is_active == True")
print("‚Üí Return user info")
print()

print("4Ô∏è‚É£  TOKEN EXPIRATION")
print("-" * 60)
print("(30 minutes pass...)\n")
print("GET /api/v1/auth/me")
print("Header: Authorization: Bearer eyJhbGc... (expired)\n")
print("‚Üí jwt.decode() raises JWTError('Token expired')")
print("‚Üí Response: 401 Unauthorized")
print()

print("5Ô∏è‚É£  REFRESH TOKEN")
print("-" * 60)
print("POST /api/v1/auth/refresh")
print('{"refresh_token": "eyJhbGc..."}\n')
print("‚Üí Refresh token validated")
print("‚Üí New access token created")
print("‚Üí Response: {\"access_token\": \"eyJhbGc...\", ...}")
print()

print("=" * 60)
print()

## 11. Security Considerations

Important security practices for JWT implementation.

In [None]:
print("üîí JWT SECURITY BEST PRACTICES\n")
print()
print("1. SECRET KEY")
print("   ‚ùå DON'T: SECRET_KEY = 'password123'")
print("   ‚úÖ DO: Keep SECRET_KEY in environment variable")
print("          Generate with os.urandom(32).hex()")
print("          Use at least 256-bit entropy")
print()
print("2. HTTPS ONLY")
print("   ‚ùå DON'T: Send tokens over HTTP")
print("   ‚úÖ DO: Always use HTTPS in production")
print("          Man-in-the-middle attacks can steal tokens")
print()
print("3. TOKEN STORAGE (Client-side)")
print("   ‚ùå DON'T: Store in localStorage (XSS vulnerable)")
print("   ‚úÖ DO: Store in httpOnly cookies (more secure)")
print("          Or use secure local storage with short expiry")
print()
print("4. TOKEN EXPIRY")
print("   ‚ùå DON'T: Access tokens that never expire")
print("   ‚úÖ DO: Access tokens: 15-30 minutes")
print("          Refresh tokens: 7-30 days")
print()
print("5. PAYLOAD DATA")
print("   ‚ùå DON'T: Store sensitive data (passwords, SSN, etc.)")
print("   ‚úÖ DO: Store non-sensitive identifiers (user_id, username)")
print("          JWT payload is Base64-encoded, NOT encrypted")
print()
print("6. TOKEN VALIDATION")
print("   ‚ùå DON'T: Skip signature verification")
print("   ‚úÖ DO: Always verify signature and expiry")
print("          Always check token type (access vs refresh)")
print()
print("7. BLACKLIST (Token Revocation)")
print("   ‚ùå DON'T: Can't revoke JWT before expiry")
print("   ‚úÖ DO: Keep short expiry times")
print("          Or maintain blacklist in Redis for immediate revocation")
print()

## Summary

**JWT Key Concepts:**
- ‚úÖ Token structure: header.payload.signature
- ‚úÖ Signature prevents tampering (verification)
- ‚úÖ Two-token pattern: access (short) + refresh (long)
- ‚úÖ Stateless authentication (no server session needed)
- ‚úÖ Token type validation ensures proper usage

**Implementation Tips:**
1. Use python-jose for JWT operations
2. Keep SECRET_KEY in environment variables
3. Use appropriate expiry times
4. Always validate token signature and expiry
5. Check token type (access vs refresh)
6. Handle expired tokens with refresh flow

**Security First:**
- HTTPS only in production
- Don't store sensitive data in token
- Use httpOnly cookies for storage
- Short access token expiry
- Implement token blacklist for revocation