Python app example of authorization

Hi everybody,

Is there any working Python example of custom app authentication?
There is a Node example, but I cannot make it work on Python.

My Python code (powered by Flask and PyJWT)

import jwt
@app.route('/auth', methods=['GET'])
def auth():
    args = request.args
    token = args['token']
    data = jwt.decode(token, MY_CLIENT_SECRET, algorithms=['HS256', 'SHA256', 'RSASSA', 'HMAC'])
    return Response()  # just a stub for now

So I’m getting error “Signature verification failed” when decode the token (jwt.decode method).
What am I do wrong?

Best regards,

Hi @snb,

Could you please confirm that you’re using your Signing Secret and not your Client Secret to decode the jwt?

You can find your Signing Secret in your App configuration page.

Yes, it worked, thank you. Meanwhile I have to add option

options={'verify_aud': False}

to “decode” function to make it work.

1 Like

Hello there @snb,

I am glad that worked!

I did not understand what you said about adding verify_aud to the options object. Would you please elaborate?

Looking forward to hearing from you!


@Matias.Monday the JWT contains an “aud” element. This is the full URL to which monday sent the original request. When we receive a token, we can look at our headers and determine to what URL the request was sent (or if someone is daring enough to hard code it into their code…)

We can pass this URL as follows (node.js)

jwt.verify(authHeader, secretKey, { audience: url })

Doing so, jwt.verify also checks that the token was sent by monday to the URL in question. I use it in my auth stage, as just a tiny bit of extra checking. Obviously an issue if you use redirects.

Now just if the expiration timestamp in the jwt wasnt several minutes after the one in the shortLivedToken which is when the API server starts rejecting the token. So I have to also verify the slt to get the real expiration time, so I can reject the request if the slt is too close to becoming invalid to complete execution of the scenario.

1 Like

My code is:

data = jwt.decode(token, MY_SIGNING_SECRET, algorithms=['HS256', 'SHA256', 'RSASSA', 'HMAC'], options={'verify_aud': False})
1 Like

yes, thats for python, i was just giving matias a node example and explanation.

1 Like

Just checking – @snb did you get this working in the end? Seems like yes, but wanted to confirm :slight_smile: