@@ -55,10 +55,12 @@ You can still get the payload by setting the `verify` argument to `False`.
5555{u ' some' u ' payload'
5656```
5757
58- The ` decode() ` function can raise other exceptions, e.g. for invalid issuer or
59- audience (see below). All exceptions that signify that the token is invalid
60- extend from the base ` InvalidTokenError ` exception class, so applications can
61- use this approach to catch any issues relating to invalid tokens:
58+ ## Validation
59+ Exceptions can be raised during ` decode() ` for other errors besides an
60+ invalid signature (e.g. for invalid issuer or audience (see below). All
61+ exceptions that signify that the token is invalid extend from the base
62+ ` InvalidTokenError ` exception class, so applications can use this approach to
63+ catch any issues relating to invalid tokens:
6264
6365``` python
6466try :
@@ -67,8 +69,9 @@ except jwt.InvalidTokenError:
6769 pass # do something sensible here, e.g. return HTTP 403 status code
6870```
6971
70- You may also override exception checking via an ` options ` dictionary. The default
71- options are as follows:
72+ ### Skipping Claim Verification
73+ You may also override claim verification via the ` options ` dictionary. The
74+ default options are:
7275
7376``` python
7477options = {
@@ -77,24 +80,49 @@ options = {
7780 ' verify_nbf' True ,
7881 ' verify_iat' True ,
7982 ' verify_aud' True
83+ ' require_exp' False ,
84+ ' require_iat' False ,
85+ ' require_nbf' False
8086}
8187```
8288
83- You can skip individual checks by passing an ` options ` dictionary with certain keys set to ` False ` .
84- For example, if you want to verify the signature of a JWT that has already expired.
89+ You can skip validation of individual claims by passing an ` options ` dictionary
90+ with the "verify_ <claim_name>" key set to ` False ` when you call ` jwt.decode() ` .
91+ For example, if you want to verify the signature of a JWT that has already
92+ expired, you could do so by setting ` verify_exp ` to ` False ` .
8593
8694``` python
8795>> > options = {
88- >> > ' verify_exp' True ,
96+ >> > ' verify_exp' False ,
8997>> > }
9098
99+ >> > encoded = ' ...' # JWT with an expired exp claim
91100>> > jwt.decode(encoded, ' secret' options = options)
92101{u ' some' u ' payload'
93102```
94103
95- ** NOTE** : * Changing the default behavior is done at your own risk, and almost certainly will make your
96- application less secure. Doing so should only be done with a very clear understanding of what you
97- are doing.*
104+ ** NOTE** : * Changing the default behavior is done at your own risk, and almost
105+ certainly will make your application less secure. Doing so should only be done
106+ with a very clear understanding of what you are doing.*
107+
108+ ### Requiring Optional Claims
109+ In addition to skipping certain validations, you may also specify that certain
110+ optional claims are required by setting the appropriate ` require_<claim_name> `
111+ option to True. If the claim is not present, PyJWT will raise a
112+ ` jwt.exceptions.MissingRequiredClaimError ` .
113+
114+ For instance, the following code would require that the token has a 'exp'
115+ claim and raise an error if it is not present:
116+
117+ ``` python
118+ >> > options = {
119+ >> > ' require_exp' True
120+ >> > }
121+
122+ >> > encoded = ' ...' # JWT without an exp claim
123+ >> > jwt.decode(encoded, ' secret' options = options)
124+ jwt.exceptions.MissingRequiredClaimError: Token is missing the " exp"
125+ ```
98126
99127## Tests
100128
0 commit comments