Skip to main content
Version: Next

Protect your API on Python


Extract the Bearer Token from request headerโ€‹

def get_auth_token():
auth = request.headers.get("Authorization", None)

if not auth:
raise Error({ code: 'auth.authorization_header_missing', status: 401 })

contents = auth.split()

if len(contents) < 2
raise Error({code: 'auth.authorization_token_invalid_format', status: 401})

elif contents[0] != 'Bearer'
raise Error({code: 'auth.authorization_token_type_not_supported', status: 401})

return contents[1]

Token validationโ€‹

For demonstration, we use the Flask app and jose package to create the require_auth decorator to validate the token's signature, expiration status, and required claims.

Install python-jose as your dependencyโ€‹

Pick the cryptography your are using in Logto. (ecdsa by default)

pip install python-jose[ecdsa]

Retrieve Logto's OIDC configurationsโ€‹

You will need a JWK public key set and the token issuer to verify the signature and source of the received JWS token. All the latest public Logto Authorization Configurations can be found at https://<your-logto-domain>/oidc/.well-known/openid-configuration.

e.g. Call And locate the following two fields in the response body:

"jwks_uri": "",
"issuer": ""

Create the authorization validation decoratorโ€‹


import json
from flask import request, _request_ctx_stack
from six.moves.urllib.request import urlopen
from functools import wraps
from jose import jwt

def requires_auth(f):
def decorated(*args, **kwargs):
token = get_token_auth_header()

# jwks_uri endpoint retrieved from Logto
jwks_uri = urlopen('https://<your-logto-domain>/oidc/jwks')

# issuer retrieved from Logto
issuer = 'https://<your-logto-domain>/oidc'

jwks = json.loads(

payload = jwt.decode(
# The jwt encode algorithm retrieved along with jwks. ES384 by default
# The API's registered resource indicator in Logto
audience='<your request listener resource indicator>',
'verify_at_hash': False
except Exception:
# exception handler
raise Error({code: 'invalid_token', status: 401})

# Custom code to process payload = payload.get('sub')

return f(*args, **kwargs)
return decorated


For ๐Ÿ” RBAC, scope validation is also required.

Apply decorator to your APIโ€‹

from flask import Flask
from flask_cors import cross_origin

APP = Flask(__name__)

@cross_origin(headers=["Content-Type", "Authorization"])
def api:
# Your API Logic