Simple JWT (DRF)
JWT authentication for Django REST Framework — provides access/refresh token pair authentication with configurable expiry, rotation, and blacklisting. Simple JWT features: TokenObtainPairView (POST /api/token/ with username/password returns access+refresh), TokenRefreshView (POST /api/token/refresh/), TokenVerifyView, token blacklisting via OutstandingToken/BlacklistedToken DB tables, custom token claims (add user data to payload), token rotation on refresh, sliding tokens, JWTAuthentication backend for DRF, and SIMPLE_JWT settings configuration. Standard JWT implementation with refresh token rotation for agent API authentication.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
SECRET_KEY used for JWT signing — rotate Django SECRET_KEY to invalidate all tokens if compromised. Use HTTPS exclusively for agent token transmission. Short ACCESS_TOKEN_LIFETIME (15 minutes) limits exposure from token theft. Token blacklist table grows over time; implement periodic cleanup of expired OutstandingToken records for agent production databases.
⚡ Reliability
Best When
Your Django DRF agent API needs stateless JWT authentication with access/refresh token pair — Simple JWT is the standard DRF JWT library with active maintenance and full refresh rotation support.
Avoid When
You need OAuth2 social login, session-based auth, or complex scope-based authorization.
Use Cases
- • Agent API authentication — SIMPLE_JWT = {'ACCESS_TOKEN_LIFETIME': timedelta(minutes=15), 'REFRESH_TOKEN_LIFETIME': timedelta(days=7)} in settings; POST /api/token/ with agent credentials returns short-lived access token and long-lived refresh token
- • Custom agent claims in JWT — class AgentTokenObtainPairSerializer(TokenObtainPairSerializer) { @classmethod def get_token(cls, user) { token = super().get_token(user); token['agent_role'] = user.agent_role; return token } } embeds agent role in JWT for client-side authorization
- • Token refresh rotation — SIMPLE_JWT['ROTATE_REFRESH_TOKENS'] = True generates new refresh token on each refresh call; BLACKLIST_AFTER_ROTATION=True invalidates old refresh token; agent mobile apps get rolling refresh without user re-login
- • Agent token blacklisting on logout — from rest_framework_simplejwt.tokens import RefreshToken; token = RefreshToken(request.data['refresh']); token.blacklist() invalidates agent refresh token on logout; requires rest_framework_simplejwt.token_blacklist in INSTALLED_APPS
- • Protected agent views — REST_FRAMEWORK = {'DEFAULT_AUTHENTICATION_CLASSES': ['rest_framework_simplejwt.authentication.JWTAuthentication']} protects all DRF agent views; Authorization: Bearer <access_token> header required for agent API calls
Not For
- • Session-based auth — Simple JWT is stateless JWT; for session cookie auth use Django's session framework or dj-rest-auth
- • OAuth2 / social login — Simple JWT handles username/password JWT; for agent OAuth (Google, GitHub login) use django-allauth or python-social-auth
- • Sophisticated permission scopes — Simple JWT adds claims but not OAuth2-style scopes; for fine-grained agent API scope control use djangorestframework-api-key or authlib
Interface
Authentication
Provides JWT authentication for DRF. Access token in Authorization: Bearer header. Refresh token rotates on each use. Token blacklist (DB table) tracks invalidated tokens for logout functionality.
Pricing
djangorestframework-simplejwt is MIT licensed, maintained by Jazzband. Free for all use.
Agent Metadata
Known Gotchas
- ⚠ Token blacklist requires migration and INSTALLED_APPS — rest_framework_simplejwt.token_blacklist must be in INSTALLED_APPS and python manage.py migrate run; without migration, token.blacklist() raises OperationalError; agent logout endpoints silently fail without blacklist app installed and migrated
- ⚠ Access token stateless — revoked user's access tokens remain valid until expiry (15 min default); agent user deactivation doesn't immediately invalidate access tokens; use short ACCESS_TOKEN_LIFETIME and long-lived refresh token with blacklisting; or add user_is_active check in custom authentication backend for agent security requirements
- ⚠ ROTATE_REFRESH_TOKENS without BLACKLIST_AFTER_ROTATION allows reuse — enabling rotation without blacklisting means old refresh tokens remain valid; agent refresh token theft allows parallel sessions; always enable both ROTATE_REFRESH_TOKENS=True and BLACKLIST_AFTER_ROTATION=True for agent production security
- ⚠ Custom claims added to token not auto-verified on decode — adding agent_role to JWT payload doesn't enforce role on endpoints; custom claim is informational in JWT; agent authorization based on token claims must be implemented in custom permission classes or DRF's has_permission() method; claims are unsigned from server but not enforced by SimpleJWT
- ⚠ TokenObtainPairView uses username field — default view expects 'username' field; agent apps using email login need custom serializer overriding username_field or setting AUTH_USER_MODEL with email as USERNAME_FIELD; passing email to default endpoint returns 'No active account found' without clear field error
- ⚠ Sliding tokens differ from refresh tokens — SIMPLE_JWT['AUTH_TOKEN_CLASSES'] can be set to sliding tokens which extend lifetime on each use (no refresh endpoint needed); sliding tokens don't support blacklisting by design; agent apps using sliding tokens can't implement logout via token invalidation
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for Simple JWT (DRF).
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-07.