Bird
Raised Fist0
Djangoframework~5 mins

DRF authentication (Token, JWT) in Django - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is Token Authentication in Django REST Framework?
Token Authentication is a simple way to secure API endpoints by assigning a unique token to each user. The client sends this token with each request to prove their identity.
Click to reveal answer
beginner
What does JWT stand for and what is its main advantage?
JWT stands for JSON Web Token. Its main advantage is that it is self-contained, meaning it carries user information inside the token itself, allowing stateless authentication without server-side sessions.
Click to reveal answer
intermediate
How does Token Authentication differ from JWT Authentication in DRF?
Token Authentication uses a simple token stored on the server linked to a user, requiring server-side storage. JWT Authentication encodes user data in the token itself, so the server does not need to store session info, making it stateless.
Click to reveal answer
intermediate
How do you add Token Authentication to a DRF project?
Add 'rest_framework.authtoken' to INSTALLED_APPS, run migrations, and then include 'rest_framework.authentication.TokenAuthentication' in your REST_FRAMEWORK settings. Clients send the token in the 'Authorization' header as 'Token <token>'.
Click to reveal answer
intermediate
What is the typical structure of a JWT token?
A JWT token has three parts separated by dots: Header (algorithm info), Payload (user data and claims), and Signature (to verify token integrity). It looks like: header.payload.signature
Click to reveal answer
In DRF Token Authentication, where is the token stored?
AOn the server linked to the user
BInside the token itself with user data
COnly on the client side
DIn the database of the client
What header do clients use to send a JWT token in DRF?
AAuthorization: Bearer <token>
BToken: <token>
CAuth: JWT <token>
DX-Auth-Token: <token>
Which of these is a benefit of JWT over Token Authentication?
AOnly works with session cookies
BSimpler token format
CRequires server to store tokens
DStateless authentication without server storage
Which Django app must be added to use Token Authentication in DRF?
Adjango.contrib.auth
Brest_framework_jwt
Crest_framework.authtoken
Ddjango.middleware.security
What are the three parts of a JWT token?
AUser, Password, Token
BHeader, Payload, Signature
CKey, Value, Secret
DAlgorithm, Data, Checksum
Explain how Token Authentication works in Django REST Framework and how a client uses it.
Think about how the server and client share a secret token.
You got /3 concepts.
    Describe the structure of a JWT token and why it allows stateless authentication.
    JWT is like a sealed envelope carrying user info.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main difference between TokenAuthentication and JWTAuthentication in Django REST Framework?
      easy
      A. TokenAuthentication uses simple tokens stored on the server; JWTAuthentication uses encoded tokens with expiry.
      B. TokenAuthentication requires username and password every request; JWTAuthentication does not.
      C. TokenAuthentication encrypts tokens; JWTAuthentication sends tokens as plain text.
      D. TokenAuthentication is only for web apps; JWTAuthentication is only for mobile apps.

      Solution

      1. Step 1: Understand TokenAuthentication

        TokenAuthentication uses a simple token string stored on the server and sent by the client to identify the user.

      2. Step 2: Understand JWTAuthentication

        JWTAuthentication uses JSON Web Tokens that are encoded, include expiry info, and do not require server storage.

      3. Final Answer:

        TokenAuthentication uses simple tokens stored on the server; JWTAuthentication uses encoded tokens with expiry. -> Option A

      4. Quick Check:

        Token vs JWT difference = D [OK]
      Hint: Token is simple stored string; JWT is encoded with expiry [OK]
      Common Mistakes:
      • Thinking JWT tokens are stored on the server
      • Confusing token encryption with encoding
      • Assuming TokenAuthentication requires password every request
      2. Which of the following is the correct way to add TokenAuthentication to a Django REST Framework view?
      easy
      A. authentication_classes = ["rest_framework.authentication.TokenAuthentication"]
      B. authentication_classes = [TokenAuthentication]
      C. authentication_classes = [rest_framework.authentication.TokenAuthentication]
      D. authentication_classes = [TokenAuthentication()]

      Solution

      1. Step 1: Recall how to import and use authentication classes

        Authentication classes must be imported and instantiated, so use TokenAuthentication() not just the class name or string.

      2. Step 2: Check syntax for authentication_classes

        It expects a list of authentication class instances, so the correct syntax is [TokenAuthentication()] with parentheses.

      3. Final Answer:

        authentication_classes = [TokenAuthentication()] -> Option D

      4. Quick Check:

        Use class instances in list = A [OK]
      Hint: Use class instances with parentheses in authentication_classes list [OK]
      Common Mistakes:
      • Using strings instead of class instances
      • Forgetting parentheses after class name
      • Not importing TokenAuthentication before use
      3. Given this Django REST Framework view snippet using JWTAuthentication, what will happen if the token is expired?
      from rest_framework_simplejwt.authentication import JWTAuthentication
from rest_framework.views import APIView
from rest_framework.response import Response

class MyView(APIView):
    authentication_classes = [JWTAuthentication()]

    def get(self, request):
        return Response({"user": str(request.user)})
      medium
      A. The request will succeed but request.user will be None.
      B. The request will succeed and return the user even if token expired.
      C. The request will be denied with a 401 Unauthorized error.
      D. The server will crash with an exception.

      Solution

      1. Step 1: Understand JWTAuthentication behavior on expired tokens

        JWTAuthentication checks token expiry and rejects requests with expired tokens by raising an authentication error.

      2. Step 2: Effect on the APIView request

        When token is expired, the request is denied with a 401 Unauthorized response automatically by DRF.

      3. Final Answer:

        The request will be denied with a 401 Unauthorized error. -> Option C

      4. Quick Check:

        Expired JWT causes 401 error = B [OK]
      Hint: Expired JWT tokens cause 401 Unauthorized error [OK]
      Common Mistakes:
      • Assuming expired token returns user as None
      • Thinking expired token lets request pass
      • Expecting server crash on expired token
      4. You wrote this code to enable TokenAuthentication but your API always returns 403 Forbidden. What is the likely mistake?
      from rest_framework.authentication import TokenAuthentication

class MyView(APIView):
    authentication_classes = [TokenAuthentication]

    def get(self, request):
        return Response({"message": "Hello"})
      medium
      A. Forgot to add parentheses after TokenAuthentication in authentication_classes.
      B. TokenAuthentication is not imported correctly.
      C. The get method should be named post.
      D. authentication_classes should be a tuple, not a list.

      Solution

      1. Step 1: Check authentication_classes syntax

        authentication_classes must contain instances, so TokenAuthentication() with parentheses, not the class itself.

      2. Step 2: Effect of missing parentheses

        Without parentheses, DRF does not recognize the authentication class properly, causing 403 Forbidden errors.

      3. Final Answer:

        Forgot to add parentheses after TokenAuthentication in authentication_classes. -> Option A

      4. Quick Check:

        Use TokenAuthentication() not TokenAuthentication = C [OK]
      Hint: Always instantiate authentication classes with () [OK]
      Common Mistakes:
      • Using class name without parentheses
      • Confusing 403 with 401 errors
      • Changing method name unnecessarily
      5. You want to protect an API endpoint so only users with a valid JWT token can access it, and you want tokens to expire after 5 minutes. Which settings and code changes should you apply?
      hard
      A. Set TOKEN_EXPIRE_TIME = 300 in settings and use TokenAuthentication() in authentication_classes.
      B. Set SIMPLE_JWT['ACCESS_TOKEN_LIFETIME'] = timedelta(minutes=5) in settings and use JWTAuthentication() in authentication_classes.
      C. Use JWTAuthentication() in authentication_classes and set JWT_EXPIRATION_DELTA = 5 in settings.
      D. Use TokenAuthentication() and manually check token age in the view.

      Solution

      1. Step 1: Configure JWT token expiry

        In Django REST Framework Simple JWT, set ACCESS_TOKEN_LIFETIME to 5 minutes using timedelta in settings.

      2. Step 2: Use JWTAuthentication in the view

        Set authentication_classes = [JWTAuthentication()] to enforce JWT token authentication on the endpoint.

      3. Final Answer:

        Set SIMPLE_JWT['ACCESS_TOKEN_LIFETIME'] = timedelta(minutes=5) in settings and use JWTAuthentication() in authentication_classes. -> Option B

      4. Quick Check:

        JWT expiry + JWTAuthentication = A [OK]
      Hint: Set ACCESS_TOKEN_LIFETIME and use JWTAuthentication() [OK]
      Common Mistakes:
      • Using TokenAuthentication instead of JWTAuthentication
      • Setting wrong expiry setting names
      • Trying to manually check token expiry in views