See the Django REST Framework JWT project for more information around token encoding/decoding.

In general, symmetric signing algorithms imply a shared secret between requesting and responding parties. As such, an element of trust is assumed as any entity that gains access to the secret key can consume the resources of our API.

With a Django username and password (Django Admin), we can obtain an symmetrically encoded token with a POST:

$ curl -X POST -d "username=<username>&password=<password>" http://<your_server_ip>:8000/api-token-auth/

The token generated will look similar to the following (note the JSON format): {"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxLCJlbWFpbCI6ImxvdS5tYXJrb3Zza2lAZ21haWwuY29tIiwiZXhwIjoxNDQxNjg1Mjc2LCJ1c2VybmFtZSI6InRlc3RlciJ9.q-36s9mzR8GsnPCBcVStWoqdyY7fBCtt3OR4You1TJY"}

The base64 encoded string features cryptographic signature with the default HS256 (HMAC using SHA-256) hash algorithm. This type of cryptographic signature is based on a computed hash value generated from the Django settings.SECRET_KEY value.

Asymmetric algorithms are based on public-key cryptography. When signing, the key is expected to be either an RSA private key in PEM or SSH format. In this example, the cryptographic signature is based on RS256 - RSA PKCS#1 signature with SHA-256.

A private/public key set has been created under the project's auth/tests/files directory. The following demonstrates how to create these files. Here, we will ignore the complexities of Certificate Authorities and Certificate Signing Requests (CSRs) and simply generate a set of self signed keys using OpenSSL:

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -sha1 -subj
'/C=AUS/ST=VIC/L=Melbourne/CN=www.abc.com' -keyout
rsakey.pem -out rsacert.pem

The private key has been placed in rsakey.pem whilst the certificate has been placed in rsacert.pem.

With a Django username and password (Django Admin), we can obtain an asymmetrically encoded token with a POST:

$ curl -X POST -d "username=<username>&password=<password>" http://<your_server_ip>:8000/api-asymmetric-token-auth/
 {"token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3RlciIsImV4cCI6MTQ1MjIxMjA2NCwiZW1haWwiOiJsb3UubWFya292c2tpQGdtYWlsLmNvbSIsInVzZXJfaWQiOjF9.XaeiNmOoL403iTxMG9nh80OXMIZMie980CLo0eyiMhTh_9rXGf9bC3INPG3N7Wid7gcmg2yJL5hBpfJ9ojZ39mtrAVKsXHlt2TCw6V5-1kSU_KhPRyPA12xcUbpCocU3B0QQD6QFC0qfZusf2tB3Ta3PI8CZel5SuZOM_iqiqrc"}

Token output structure is similar to a symmetrically signed token. However, in this case the token is cryptographically signed with the private key found within auth/tests/files/rsakey.pem.

Azure AD provides an interface that can also generate asymmetric JWTs.

Any base64 decoding tool can be used to convert the header and payload (first two sections of the 3-part dot "." delimited token) to plain text. However, the signature (settings.SECRET_KEY) is required to verify the integrity of the data (confirm that no one has tampered with the token).

jwt.io is a handy online JWT decoder tool that can be used to verify the JWT. Simply cut and paste the generated JWT into the Encoded text field. Under the Decoded section, note that the HEADER and PAYLOAD fields present in plain text.

To verify the signature, ensure that the ALGORITHM drop-down is set to HS256 and enter the settings.SECRET_KEY value into the VERIFY SIGNATURE text field. This should trigger a Signature Verified message.

In this case, the jwt.io ALGORITHM drop-down should be set to RS256. Note that this alters the VERIFY SIGNATURE section to include free text widgets for a public certificate and private key entry. To verify the signature, enter the Public certificate from the project's auth/tests/files/rsacert.pem file.

The jwt-auth application provides an API that accepts a JWT via a POST request:

$ curl -X POST -H "Content-Type: application/json" -d '{"token":"<TOKEN>"}' http://<your-server-ip>:8000/api-token-verify/

On success, this call will return a HTTP_200_OK status code and echo <TOKEN>.

Note: this endpoint supports both Symmetric and Asymmetrically signed tokens.