 If you interact with APIs, you've probably heard of JSON Web Tokens before. This compact way of exchanging information made its way into most of the major web frameworks out there. And if you're wondering how to parse and validate JWTs in Python, you came to the right place. I'm Justin Porau, a developer advocate here at Thira. If you need to understand the basics of JWTs, I recommend you watch my previous video on how to create JWTs in Python. Linked in the description below. And without further ado, let's write some code. I already created and activated on Python environment. I already have PyDWT and iPython installed. But if you need to install it on your M, you can do it by running this command. This will install all you need. So PyDWT is the most popular library for dealing with JWTs. And we are going to use that today. And iPython is an interactive Python console. It has a few features like code completion and syntax highlighting that I really like. But feel free to choose whichever interface or Python console you prefer. So let me clear this and start my console. iPython and I'm going to import JWT. Now, I already have a token that I want to verify the signature. Let me copy that. And it is this token here. And with PyDWT, this will take one simple line of code. Yes, only one. You just need to use the decode method from the JWT module and pass the token and the secret. And that would be it. So this would be JWT.decode. My token is secret. And the algorithm used for signing the token. Of course, this only takes one line of code because I already know everything that is to know about this token. And you cannot hear that the output of this command is actually a dictionary with the payload of my token. And this is printed out because this token was successfully verified. So that's the only way we can see the payload. So I will show you what happens when the verification fails in a bit. But let's say you don't know how this token was generated, right? So one thing that you could do is copy this token and paste it on our friendly JWT.io. And here's JWT.io that I opened my browser and it already has an example token. I can paste my new token here and you can see the header, the payload and that the signature is not verified because I didn't fill out the correct secret for this token. But what if you want to use Python to check this out? The way to do it is actually using PyDWT once more. And let's go over how you can do that. Because PyDWT is such a nice tool that is one method for decoding the header of the token. So instead of going to the JWT.io, you can get the header without actually verifying the signature of the token. And believe me, you could do this manually by taking the part of the string that has the header, decoding it, turning it into a dictionary. But this would take two extra modules and a few lines of code. So I don't want to do that. And PyDWT actually gives me a method to do that. So let's see how that works. So instead of using the code this time, I'm going to use JWT.get unverified header. And I'm going to pass my token. And now you can see here my header. It is also a dictionary. And if I store this header into a variable, you can use that to make your scripts a bit smarter. That's awesome, right? So let me do that and do header data equals what is the result of get unverified header. Now I can reuse this to decode my token. So if I come here and because this is a dictionary, I can access the algorithm. Let me make this a little bit bigger so you can see the algorithm by referring to the dictionary and the algorithm key. And if I run this, you can see the same payload once more. And just like that, looks like magic, right? And so far, your baby's saying, okay, everything's rainbows and unicorns, everything works. But we know the real life isn't like this, right? So what happens if my token doesn't get verified? Let's say, I don't know, it expired. So let's see how you can deal with bailing and verifying the token itself. What happens is when you try to verify a token that is not verifiable, for instance, an expired token, by GWT, you will raise the never. So I got another token that I can use for this. And let me copy that. And I'm also going to copy the code that I already got. Okay, so this token here actually has an expiration date set in the past from today. And because it is expired, when I try to decode it, it's going to give an error. So let's see what happens. And you can see here, it gives me the expired signature error. And if I scroll up, because IPython shows a very detailed traceback, it shows the error happened when I tried to use the decode method. Awesome. But now that you know that, how can you handle this in your scripts? So one way to do it is actually using the errors that comes with PyGWT. And what I can do is actually importing them from the exceptions module. And I'm going to import this expired signature error specific error. And now I can do a try accept clause to deal with this error when they happen. So my code would look a little bit like this. So now you can see here that I have a try. It tries to decode and that it fails because of the expired signature error. It prints out an error, a friendly error. So if I run this and you can see here that instead of having that enormous traceback, I can see that the signature is expired. Awesome. Now, if you need more details on the steps that are required for validating or verifying your tokens, I recommend you read out zero documentation on the subject that is linked in the description below. Now, before I finish this video, I want to make sure that you know how to verify the signature of your token if we use an asymmetric algorithm. And if you don't know what that is, that's okay. An asymmetric algorithm like RS256 is one algorithm that uses a private key for signing and a public key for verifying the signature. So let's do just that. I already have a token here again. I'm going to clean this script because this token is a little bit big. And this was signed using RS256. So let's verify the signature of this other token. So the first thing I need to do is actually read the public key so I can do the verification. So I already have my public key inside of a .ssh folder in my working directory. So you can see that here. So that's that. And I can read it and store it in the public key variable because I want to use it. So the first thing, I open it and then I use the method read so that I can get the bytes version of this key. And after that, I need to do two more steps. So it is important to know that this particular key was generated using SSH key gen 2. And because SSH key gen 2 uses a particular encryption algorithm, I'm not going to go over right now. But that means I need a specific method to be able to load this key and use it. So that takes me to the second step after this one. That is to import the method I need to use to read this key. So this comes from the serialization module from the cryptography package. And the way to do it is actually do from cryptography. And I want the module hazmat, hazmat, primitives. And I can import the serialization. Now what I need to do is actually load this key using the serialization module. So to do that, I'm going to save my key into a key variable because I want to use it later. And I'm going to call this serialization dot load. And you can see here I have a number of loading methods. And the one that I want is actually SSH public key. So what I need to do is pass the bytes version of my key because the red method gave me a string. And the load SSH pub keys actually requires a bytes object. So the way to do this is using code the string beauty method. I'm going to do that here. And once I run this, I get the loaded version of my public key. And now I can use this key to actually verify my token. So let's do that much more. And I'm going to copy my code for my notes. And now I got it. You can see here that instead of using a secret, I now using my key. And I updated the algorithms list to reflect the algorithm used. And now you see the result of my verification. And that's it. You just verify the WT sign with a symmetric algorithm. Yay you. That's all for today folks. Now you know all the necessary steps need to validate your JWTs in Python. If you have any questions that want to see more videos like this here in the channel, leave a comment down below. Also, remember to subscribe to the channel and check out the link session in the description of this video. There you'll find a link for the GitHub repo with all the code that I showed today, a blog post on the same topic and a link for the JWT handbook in case you need more in-depth resources on JWTs. Thank you for watching and I'll see you soon. Bye.