Django REST JWT Refresh Fix
In this tutorial, you'll learn about Django REST JWT Refresh Fix. We cover key concepts, practical examples, and best practices.
The Problem
Simple token auth has no expiry. If a token leaks, it's valid forever. JWT with short-lived access tokens and refresh tokens reduces the window of exposure.
Quick Fix
Wrong — no refresh, long-lived tokens
from rest_framework.authtoken.models import Token
# Token never expires — if leaked, it's usable indefinitely
token = Token.objects.create(user=user)
Output: Token is valid forever. No mechanism to rotate credentials.
Correct — JWT with refresh
# settings.py
INSTALLED_APPS = [
'rest_framework_simplejwt',
...
]
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': [
'rest_framework_simplejwt.authentication.JWTAuthentication',
]
}
from datetime import timedelta
SIMPLE_JWT = {
'ACCESS_TOKEN_LIFETIME': timedelta(minutes=30),
'REFRESH_TOKEN_LIFETIME': timedelta(days=7),
'ROTATE_REFRESH_TOKENS': True,
'AUTH_HEADER_TYPES': ('Bearer',),
}
# urls.py
from rest_framework_simplejwt.views import TokenObtainPairView, TokenRefreshView
urlpatterns = [
path('api/token/', TokenObtainPairView.as_view()),
path('api/token/refresh/', TokenRefreshView.as_view()),
]
Output: POST /api/token/ returns {access, refresh}. Access token expires in 30 min. POST /api/token/refresh/ with the refresh token returns a new access token.
Custom token claims
from rest_framework_simplejwt.serializers import TokenObtainPairSerializer
class CustomTokenSerializer(TokenObtainPairSerializer):
@classmethod
def get_token(cls, user):
token = super().get_token(user)
token['username'] = user.username
token['is_staff'] = user.is_staff
return token
Using refresh token in client
import requests
# Obtain tokens
resp = requests.post('https://api.example.com/api/token/', json={
'username': 'user', 'password': 'pass'
})
tokens = resp.json()
# Refresh when expired
resp = requests.post('https://api.example.com/api/token/refresh/', json={
'refresh': tokens['refresh']
})
tokens['access'] = resp.json()['access']
Prevention
- Keep access tokens short-lived (5-30 minutes).
- Use
ROTATE_REFRESH_TOKENS=Trueso old refresh tokens become invalid after use. - Store refresh tokens securely (HttpOnly cookies for web apps, secure storage for mobile).
Common Mistakes with rest jwt refresh
- Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks
- Using
returnto exit a function early instead of wrapping a pure value in the monad - Mixing let bindings with <- bindings in do notation, producing type errors
These mistakes appear frequently in real-world DJANGO code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.
Practice Exercise
Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.
This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro