 JSON Web Tokens or JWTs for short are all over the web. Wait, JWT or JOT? Well, you decide. In this video, you'll learn what JSON Web Tokens are, how to create JWTs in Python using the most popular JWT library by JWT. Let's get started. I'm going to go over a brief introduction on what JWTs are, so if you're already familiar, you can skip ahead to the coding. JSON Web Tokens are a very compact way to carry information, and they are defined as a three-part structure consisting of a header, a payload, and a signature. The header and the payload both carry what we call claims. In the header, we find claims about the token itself, like what algorithm was used for signing that token, while the payload or the body carries information about a given asset. In a login scenario, this would be information about a user. Claims follow the standard key value pairing, and most of the claims commonly used in JWTs have a standardized naming defined in the RFC 7519. Finally, the signature. This is the part that helps you make sure that a given token was in temper with. Because signing JWTs requires either a secret or a public-private key pair agreed on previously. The signature itself is based off the header and the payload in combination with a secret or private public key pair, depending on what algorithm was used. If you want to know more about JWTs, you can read the JWT Handbook linked in the description below. But enough about the theoretical part. Let's see some code. First, I'm going to create a Python environment in my working folder. The way I like to do this is using python3-m-m. And keep in mind that I'm using Python version 3.8 here. Once that gets created, I can activate my MF. Now note that the comment for activating your environment may vary. Especially according to your operating system. And you can find a link in the description that lists all the ways you can activate an environment. So you can find a way that works best for your OS in there. Okay, cool. Disclaimer done. Now I need to update my PIP version. And now I need to install pyjwt with the cryptography dependency. And I'm doing this because you need the cryptography library if you want to use asymmetrical algorithms in the future. I'm also going to install iPython, which is an alternative Python console. Because personally, I like it better than the standard Python console. It has code completion and is overall nicer to the eyes. But feel free to choose whichever interface or console that you may prefer to follow along. Now I have everything I need. So I'm going to open my console here by calling iPython. I'm going to clean my screen. And what I want to do is import the jwt object from the pyjwt library. The next step is to prepare some data so I can pass it on the body of my jwt. So let's create a dictionary to hold some user data. And this payload data have three claims. Sub, which is the user identifier or subject of this token. Name, which is the user full name. And nickname, which is the user, well, nickname. Keep in mind that I'm using some dummy data, which tells you who my user is in this example. And now the work is pretty much done. You can call the anchor method from the jwt package, pass the dictionary I just created, and let that method do its magic for us. And by this, I mean that the anchor method takes care of creating a standard header for my token. Now, before I print out this token, I like to point out three things. First is that the key parameter actually works for either a key or a secret. In this case, I'm using a secret because the default algorithm only requires a secret. Which brings me to my second point, that in real life, you have an actual secret being used instead of this dummy string that I got here. And third is that if you were using an asymmetric algorithm for signing, like IS256, you would need to use the private key for signing your token. Don't worry, I'm going to show you how to do that in just a bit. Now, if I print out this token by calling it, you see this huge string over here. And you can copy this string and use it wherever you want. In this case, I'm going to copy it and paste it on jwt.io. And jwt.io is a pretty useful tool because you can use it anywhere as long as you have internet connection. So you can actually verify the signature of a token in your web browser. Here, I already got an example token, but let's paste the token I just created. So if I scroll down here and paste my token, you'll see that my token signature is invalid. But that's because I need to fix the secret in this little field here. And if I copy my secret and paste that here, you can see that the tokens get a signature verified. Yay! You can see here also the header of my token in this section that I got. I had two claims that pyjwt actually added for us. The first one is type, which is used to say which type of token this is. And the second one is ALG, which says which algorithm was used for signing this jwt. In the payload, you can see the data that we created. And one thing that you might not know is that jwt can be used to actually generate a token. So if you change any of the values I got, either in the header or in the payload, you see that my token actually changes. And that's it. You just generated and verified a token in a few easy steps. Now, before you go, I want to show you an example on how to create a token using an asymmetrical algorithm. In this case, I'm going to use RS256. This time is where the cryptography package comes into play. Because the RS256 uses a private and public keys, we need to load the private key for signing the token. And to do this, I need to import the serialization module from the cryptography package. So let's go back to my console. Let me clean this up a little bit and let's import my serialization module. And I already got my public private key pair inside my .sh folder in my local directory here. And you can see that if I list the contents of my folder, .sh. And because this key pair was created using the SSH key gen2, I need to use a SSH method to load it. So first things first, I need to read this private key file and save it into a variable. So the way I do this is like this, using the open method and the read method. And this will store my private key into the private key variable as a string. Then I need to pass the string as a bytes object to the load SSH private key method from the serialization module. So I'm going to do this by creating a new key and encode the private key variable. Oh, it's missing encode. Let me add that. Okay, no more error. Now, keep in mind that for this example, this key doesn't have a password or a press phrase. But remember that securing keys is very important, so always generate the keys with the press phrases. And the have lifting is mostly done. You can now call the encode method once again, pass the key and choose the RS256 algorithm. And finally generate your token again. So I'm going to start that in a new variable. And if I print out this new token by calling it and you're done. Now I can copy paste this into jwt.io once again, just to check it. And you can see here that I now have a different header, even though the content of the payload is the same. Now you know all about JWTs and how to create them in Python. If you have any questions and want to see more videos like this here in the channel, leave a comment below. Also, remember to subscribe to the channel and check out the link session in the description of the video to find more information on JWTs. Thanks for watching and I'll see you soon.